Local Admin is a must needed account/ access that requires in a domain setup for so many reasons. Over the years Microsoft brought many options to manage these accounts in a secure manner. Restricted groups/ LAPS etc.
With Azure AD and Endpoint Manager in the scene, many devices are moved to cloud managed rather than on-prem managed. Both Azure AD RBAC and Endpoint Manager got it’s own ways to enable this on the managed devices. Well I did bit of a research with both of the options and these are my findings. My main focus is to discuss about them and give my verdict.
Table of Contents
- What is the Azure AD Joined Device Local Administrator role
- What Will Happen When This Role Gets Assigned?
- Can Privileged Access Management Features Help?
- Endpoint Manager Account Protection Policy As An Alternative?
- Setting Up The Policy
- Final Thoughts?
What is the Azure AD Joined Device Local Administrator role
Among many Azure AD roles, this is another Azure AD role which can provide RBAC when needed. Azure AD Joined Device Local Administrator is no different as well. What this does is any user with the permissions will have Local Admin access on the Azure AD Joined devices in the environment.
Azure AD Role Description: Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.
What Will Happen When This Role Gets Assigned?
When the privileged user logs in to the Azure AD joined computer, few Security Principals are getting added to the computer. They are the Azure AD Global Administrator and Device Local Administrator role and the user performing the Azure AD join. These SIDs represents the Azure AD roles.
How this works is great and the IT can get be benefitted from it. In this way whenever user logs to an AAD joined device, the account will be automatically be a local administrator and IT doesn’t have to keep on adding users to the Administrators group.
From Microsoft: By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been only assigned the device administrator role to manage a device.
My Issue With The Above Behaviour 🚩🚩🚩
While the principal sounds good. When the user is assigned with this role, they are allowed to access any Azure AD Joined device in the fleet. Microsoft official doc says this can’t be scoped to access only a subset of devices, which is exactly my issue.
Why? Because if I need to provide Local Admin access to only to a set of computers or only to just one computer, and also not practical to create an account locally and add as a local admin in that device and unable to add Azure AD users into the Administrators group.
Take this scenario. An external contractor comes to work on a project and he needs Local Admin Privileges only in 1 or few devices in the fleet, but not in all the devices. What will be the next step? Providing the contractor with the above role? I know I won’t.
Can Privileged Access Management Features Help?
Let’s park my issue for a minute. As any Azure AD role, you can setup Privileged Identity Management (PIM) to this role or create a PIM based Azure AD group and assign members with Eligible or Permanent access. And yes you can do the same thing for this role as well. In fact, you can setup PIM groups and assign users in to it, and yes the users can elevate Eligible access to Active access when needed and NO you can’t scope the machines with Azure AD Administrative Units that’s attached to the PIM group, you can, but that is not an actual scoping, which will result in not working what’s expected.
Technically you can add and remove users from the group and access will be added and removed respectively. That leads to my 2nd issue.
My Issue with PIM and Just in time Access
Adding the users to the group and they will elevate access when required and access will be granted. That’s all good and perfect.
If you setup Just-in-time access (JIT) that will be bit pointless. Because if the below considerations stated in the Microsoft Document.
When you remove users from the device administrator role, changes aren’t instant. Users still have local administrator privilege on a device as long as they’re signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take up to 4 hours.
More information can be found here from the learn article
Even if you don’t use JIT and when you need to remove the role from the user, the above consideration will apply.
Endpoint Manager Account Protection Policy As An Alternative?
In parallel to Azure AD Joined Device Local Administrator role, MEM can be used to set the Account Protection policies that specifically says Local user group membership.
What this does is, it will add users, groups in to the local admin groups in your Azure AD Joined or Hybrid Azure AD Joined device.
Users can be added to, removed from or replace in he below local groups
Highlights Of This Method
- Can be used for both AADJ and HAADJ devices in the same way
- This can be used to manage a scope of devices which is ideal if you have a large fleet of devices and also when you need to provide specific device access to third party users
If you want to revoke access of a user, that user account need to go in to the User and Group action Remove and needs to be removed from the Add section.
- If you maintain 2 groups and add them 1 in Add and 1 in Remove, you will only have to fiddle with the groups later and when the policy is synced with the computer, the relevant user will gain access or access will be removed.
- However as per the consideration in the Azure AD role, the user needs to sign-out/ sign-in to get it up and running or to revoke access.
- You can’t use PIM features as even the JIT removes the member from the PIM enabled group when the access expires, it won’t remove the user from the Local Admin group. For this to happen, the user should go to a user group action Remove group.
Setting Up The Policy
Endpoint Manager > Endpoint Security >Account Protection > Create Policy >
In the next screen, you have 2 options according to the joined mode
For AADJ: From the User selection type Select Users/ Groups
Select the users and groups from the flyout blade when you click on the Select users/ groups link next.
For HAADJ: From the User selection type Select Users/ Groups
To Add users and groups, click on the Add user(s) link next.
There are 3 ways to add the users or groups.
- Use the usernames
- Use Domain\username
- Use SID (Security Identifier)
Once added, the users or the groups will be added to the computer’s local admins group or to the local group you specify.
Use Add and Remove in the same policy with 2 different Groups
Similarly, add a Remove section as shown below. So both adding and removing will be managed via the same policy. This can be managed via a Security groups
In this way, even though JIT is not achievable, you opt-out from the 4 hour wait to get the token revocation.
Final Thoughts?
Azure AD Joined Device Local Administrator role is a good start with few things lacking. JIT and device scoping. It would be better if something like Continuous Access Evaluation is implemented on this role or as a feature that is tucked to PIM so the access can be revoked sooner rather than later.
Endpoint Manager policy is a good option as it can be scoped out and can be used for both AADJ and HADDJ modes. I think this policy can be creatively used with the add and remove options in the same policy.
Hope this article gave you an idea about what will be the best option to use depending your scenarios and any gotchas you need to keep in mind.
Feature Image: Key Vectors by Vecteezy
EMS Route - Shehan Perera 