How to add members to the built-in Administrators group, using Azure AD Security groups and PowerShell.
In this article, I will explain how, one could attempt to manage the built-in administrators group, on an Azure AD Joined Windows 10 device, using an AAD Security Group.
Since the local Administrators group, does not support the addition of AAD born security groups, We will be using Intune, PowerShell, GraphAPI and Azure AD to accomplish this.
With these tools come great power, and even though this is a simplified use case, I will give some examples on more advanced use cases, at the end of the article.
The motivation for this article, has come from user voice, and a lot of people emailing me, asking for this. (Thank you! you are welcome guys/gals).
And remember: “Community work is not just for delinquents.” 😉
If you wish to read the official guidelines on How to manage the local administrators group on Azure AD joined devices, it can be found here: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
Now, lets just quickly talk about what’s needed here, and then I will give you the script.. don’t TL;DR; me on this one…
If you got all of that stuff under control, then by all means, go ahead and deploy the script with Windows Intune – assigning it to the devices you wish to use it on.
Otherwise, read on after the script link, on how to actually deploy it (The links above, can be used to jump to the different tasks you need to perform).
Oh and, you might want to save it to a file now, so you you have it handy, once we get to the upload part. 🙂
aad_controlled_localadmins.ps1 on GitHub
First we need to create a security group in Azure AD, that contains the users that we want added to the built-in Administrators group, on the devices we assign it to.
If you don’t know how the basics of getting API access, via an app registration in Azure AD, then it’s about time bro!
Lets get to it!
(Don’t worry, we are doing the simplest form of app registration – Easy Peasy, Kanye is Jeezy.)
Go to your Azure Active Directory blade, in the Azure Portal, and click on “App Registrations” -> “New application registration”.
Now in the “Create” blade, fill in like this:
(The URL is just a placebo, as we won’t be using it, but is required to be filled).
…and click on the blue “Create” button, at the bottom of the blade.
On the next blade that appears, you will immediately be presented with one of the things we need, namely the “Application ID”, copy that sucker and paste it into the CONFIG section of the PowerShell script.
Now click the blue “Settings” gear icon.
Next we create a key to give our script access.
Click on “Keys“
Enter a description (important if you decide to change keys because it might have been compromised, so keep track of these!).
Choose and expiration date for the key (I choose never, so I don’t have to deal with any s**t in a few years, lol).
Notice that the key will only be shown upon saving – so click on “save” and copy paste the key into the CONFIG section of the script.
Now we need to assign the appropriate permission in Azure AD for the script…
Close the “Keys” blade, so you are back at the “Settings” blade.
Click on “Required Permissions”.
Take a close look – a lot is going on here:
So first, we double click on “Windows Azure Active Directory”, which opens up the “Enable Access” blade.
Here we deselect any defaults, and just tick the box next to “Read Directory Data”, and click on “Save”.
After that ordeal, we click on “Grant permissions”, and accept that we are now granting the app full permission to access the data we are requesting.
Now you can close all the blades – this part is d o n e !
#phew
This might be the easiest thing in the world for some people, but here is how to find your tenant ID in Azure Active Directory.
Go to your Azure Active Directory portal – Open up the Azure Active Directory service from the lefthand menu – click “Properties”, and there you have it… Ready to be copied into the CONFIG section of the script.
Yup! That’s all there is to it.
Now on to the final part!
While signed-in to the Azure portal as your tenant, open “Intune”.
From the Intune portal, go to “Device Configuration” -> “PowerShell scripts” and click the blue “+ Add” button, to add the script.
Now fill in a Name and Description, and select the script file to be uploaded.
Afterwards go directly to the blue “Create” button at the bottom of the blade, as the default settings are fine.
You should be familiar with assigning the script to some devices, so this guide will not cover that in detail.
However, please consider scoping the devices with groups, instead of just adding the script to all devices (it’s best practice yo!).
For some more advance use cases, one could create multiple versions of the script, that source from different security groups.
This would allow you to assign different administrators, to a segregated list of devices.
The scenario could be one where local IT staff exists in branch offices, and they have no business handling devices not belonging to their branch.
To do this, you would create multiple PowerShell Device Configurations that each target a different security group. these would in turn be assigned to different device groups.
More could be done, but this was just one quick example…
NB: The cons of adding any powershell script via Intune, is that it only runs once. So you will need to fix that by deleting the policy, and recreating it, if you have changes to the group membership.
I have another workaround for this, in my blog post here: https://www.iphase.dk/force-reload-intune-powershell-scripts/
ALSO: Read the script through, there are experimental features in there you might need!
As always, I welcome any ideas, script changes, remote work gigs, and dad jokes.
Hope you found this article useful, if so PLEASE @mention me or follow me on Twitter@michael_mardahl
After a few months away from bloggin because family and holiday and one self is important to tend to, I…
Conditional Access and multi tenancy can be tough on anyone... (more…)
Continuing my ongoing series on passwordless with Azure AD and FIDO2... The story continues on SCConfigMgr.com... :) https://www.scconfigmgr.com/2019/11/18/passwordless-journey-with-fido2-part-2-usage-experiences/
Passwordless with FIDO2 is becoming a real option for enterprises that are adopting the cloud. In this guest blog post…
I published a PowerShell Gallery script, that will get you through this headache in a jiffy. (more…)
Enabling preview features in Azure AD to extend your on-prem password policy to Azure AD. (more…)
This website uses cookies to track views anonymously with analytics.