You can use Entra ID groups to manage local administrators group privileges on Entra ID and Intune joined devices with the Local Users and Group MDM policy. We will use Microsoft Intune to manage these policies.
**You will need to book out the global admin role on PIM to be able to complete this set-up.
1. Create an Entra ID Group
We’re going to create a Security Group in Entra ID. This group will be added to the local administrator group on devices that join Entra ID). By using an Entra ID group, we can streamline management. To grant a user local admin rights on devices, all we need to do is add them to the AAD group. This simplifies the process significantly.
Create an Azure AD group with below details.
- Group Type : Security
- Group Name: IntuneLocalAdmins
- Azure AD roles can be assigned to the group : Select Yes.
- Membership Type: Assigned
- Members: Add the user if you want to add any at this point of time.
Follow this link if you need any help in creating the group.
2. Create Account Protection Policy to manage Local Administrators Group Membership Using Intune
The next step is to create an account protection policy. To create a local users group membership policy, you need to login to Intune portal https://intune.microsoft.com/
- Navigate to Endpoint security
- Select Account protection
- Click on + Create Policy to start policy creation process
- From Create a profile, select the following
- Platform: Windows 10 and later
- Profile: Local user group membership
- Click on Create
Enter the Name and Description for profile and click on Next to move to Configuration Settings.
On the Configuration Settings page, select all required settings. The following settings are available and need to be selected.
- Select Administrator as we are adding users / AAD group to local admin group in this example.
- Set local Group and user action to Add(update). This will only add permissions without replacing existing admins. This is safer as it does not delete or remove old accounts, which helps mitigate the risk of locking users out of the device.
**The local group and user management policy have three actions available.
a. Add (Update) : Add members to the specified group. Other members already in local group will not be touched.
b. Remove (Update): Remove members from specified group. The other members already in group and not listed in policy be removed.
c. Add (Replace): Replace the existing members of group with the members provided in policy.
- User Selection Type: set this option to Users / Groups this will allow you to select the group created for this action
- Select Users / Groups or provide details manually based on User Selection Type.
3.On the Assignment page, you can assign the policy to all users and all devices by clicking the add all users and add all devices group. **Take care when doing this because if you set the group and user action to replace it might remove any local accounts and lock the IT department out of the device. If you are using the replace feature, be sure to use a test group of machines and test the policy properly before rolling out to all devices.
Click on Next.
4. On the Review + create, review the details and click on Create button to create the policy. **Make sure that all settings are as intended.
3. Verify Result
To verify the result, perform below steps on one of targeted device.
- launch Compmgmt.msc
- Navigate to Local Users and Groups / Groups
- Double click on Administrator
- Verify if required Entra ID groups / users are now member of local Administrator group.
You can also check if this policy successfully assigned by clicking on the policy you just created. 
This will open a screen showing the status of enrolment.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article