“With Windows 2004 we are now able to add a SID of the Azure AD group via the restricted group CSP into the local administrators group.”

Modern Management addresses a myriad of challenges organizations have faced with legacy management. However, it does introduce some new challenges that were previously trivial.

One such challenge is local administrator access for Azure AD joined machines.

Managing local administrator access to domain joined machines is simple: 

  1. Create a domain group

  2. Add user to the group

  3. Leverage GPO and restricted groups to add the domain group into administrators group on the local machine

  4. The next time the user logs in they have administrator access

However, local administrator access with Azure AD introduces some complexity.

 

Local Administration with Azure Active Directory

Local administration is significantly more complex with Azure AD joined devices, especially for larger organizations where different groups of users need administrator access to different groups of machines. 

When enrolling a device through either the self-service OOBE process or autopilot, the user that joins the machine to AAD will be made a local administrator on the machine (in the case of autopilot, only if enabled in the autopilot profile).

As part of this process two additional SIDs will be added into the “Administrators” group on the local machine.

  • The SID that represents the Global Administrator role in Azure AD

  • The SID that represents the Azure AD Device Administrator role (referred to as Additional local administrators on Azure AD joined devices in the Azure portal)

    Global Administrator role

    Global Administrator is like an Enterprise Administrator group in Active Directory, this role grants the user full administrative access to all areas of Azure.

    This is not a role that you’d want to be assigning to your users just to get local administrator access on Azure AD joined machines.

    Let’s explore some alternative solutions.

    Azure AD Device Administrator role

    This list of users resides under https://portal.azure.com -> Azure Active Directory -> Devices -> Device settings

    Users that are added to that list will be granted administrative access to all Azure AD joined machines in the organization.

    However, there are some limitations:

    • You cannot add a group into this list, users must be added individually.

    • Whoever is adding the users must have the appropriate access in Azure to modify this setting.

    • Users in this group have administrator access to ALL Azure AD joined machines in the organization.

    If there is a need to segment administrator access to groups of machines for security or organization purposes, this method is not fit for purpose. 

    Azure AD offers us two methods of allowing other users administrator access to Azure AD joined machines, but with issues.

    • Both role and “Additional local administrators” cannot be targeted to a group of machines, meaning that accounts that are Global Administrators or are “Additional local administrators” have admin access to EVERY machine in the environment. This may not be an issue in some environments but a big issue in others.

    • Both methods are global, which means that users added to each group will have access to every machine in the organization. This may be a problem if you have sensitive machines that helpdesk staff should not have access to or if your organizational support is split across multiple departments.

    We do not have a simple way of getting a single user admin access to the machine apart from remoting manually into the machine and adding the user into the local administrators group.

     

    Add users manually as administrators to the local machine

    Computer Management snap-in cannot resolve Azure AD accounts hence administrator users must be added via a different method:

    1. Go into Settings -> Accounts -> Other Users and click on Add a work or school user


     

    2. Enter the user account in the form of the UPN and choose the appropriate account type

     

Group based administrator control

With the release of Windows 2004, Microsoft have finally provided a somewhat scalable solution for local admin management.

Prior to Windows 2004 you could use the restricted groups CSP to define the members of local administrator group.

However, you had to specify each user (in the format AzureAD\UPN) which means you had to have large policies per group of machines listing all users that should get access. This list had to be maintained and updated, which is a nightmare and recipe for error.

With Windows 2004 we are now able to add a SID of the Azure AD group via the restricted group CSP into the local administrators group. Windows can now resolve this SID to an Azure AD group and grant members of this group admin access to local machine.

Note this is tied to the machine PRT token and it may take hours before the token expires and needs to be refreshed, the user will need to logout and log back in so the machine can query Azure AD, obtain a new token and grant admin access based on that token – be sure to understand this delay and be able to communicate it to less technical users.

 

Drawbacks of this method

Deploying this policy will drop all the members of the local administrators group and replace them with the newly supplied members. Therefore, if you have users that had local administrator access previously, by either being added through the autopilot/OOBE process or manually, they will lose administrator access to the machine.

Prior to deploying this you must ensure that you record the SIDs that are added into the local administrator group by default and deploy them as part of this policy.

 

Getting a SID from an Azure AD group

Azure AD does not display group SIDs in the GUID, however they can be retrieved via Microsoft Graph. An easy tool to use is Microsoft Graph explorer. To look up the group we will be using the following Microsoft’s graph API.

  1. First, we need to get the Group ID from Azure AD.

    2. Sign into the graph explorer

    3. In the graph explorer change the URL to the following and replace <ObjectID> with the object ID you got from the step above https://graph.microsoft.com/v1.0/groups/<ObjectID>

    4. If you get the error message, “Insufficient privileges to complete the operation.” You will need to Click on Modify Permissions and consent to the required permissions so that Graph can read the data from your tenant

    Once the call has been successful you will see a response containing information about the group. This response will also include a securityIdentifier which is the SID of the group.

    Self Service Administrator access

    It is possible to use a 3rd party tool to allow users to grant administrator access to the machine themselves.

    Make Me admin is an open source application that is freely available that allows standard users to be elevated to administrators.

    Future state

    Microsoft have announced that with release of 20H2 new functionality will be available for adding and removing users from the local groups on the machine, there is not much information about the functionality at this stage, however we expect to see documentation once 20H2 is officially released.

    If you would like to know more about administrating Windows 10 with Azure AD or managing windows devices with Microsoft Intune, contact us or check our services.

Learn more about services

Daniil Michine

Daniil has been working in information technology for over 10 years across a number of different industries.
He is very passionate about new technology, solving technological puzzles and architecting solutions.