๐ฑ Recipe ยท Intune & Device Management
Grant Local Administrator Rights on Entra-Joined Devices via Intune
Assign local admin privileges to users on Microsoft Entra joined Windows devices using directory roles, Intune Account Protection policies, or Endpoint Privilege Management
Complexity
Intermediate
Impact
security-sensitive + endpoint-management + privileged-access + intune + entra-id
Context
Why This Matters
Users occasionally need local administrator rights on their corporate Windows devices to install developer tools (Visual Studio Code, Docker, Node.js), run legacy applications that require elevation, or troubleshoot driver issues. On Microsoft Entra joined devices, the local Administrators group is managed by Entra ID during the join process โ modifications after the fact require either a directory role assignment, an Intune Account Protection policy (LocalUsersAndGroups CSP), or, ideally, Endpoint Privilege Management (EPM) for just-in-time elevation.
This recipe walks through the three common approaches, their trade-offs, and how to choose the right one for a given request. It replaces the common (but insecure) practice of directly adding users to the local Administrators group via PowerShell on the device, which is untracked and survives re-imaging.
Expected Outcomes
- The target user can perform administrative actions (install software, change system settings) on the designated Entra-joined device(s).
- The grant is tracked centrally in Entra ID or Intune โ visible, auditable, and reversible.
- You have a documented justification and scope for the grant (tenant-wide, device-scoped, or just-in-time).
- The change complies with least-privilege principles, with an expiration or review date where appropriate.
Risks & Considerations
Security considerations
- The Microsoft Entra Joined Device Local Administrator role is tenant-wide. Assigning it grants local admin on every Entra-joined device in the tenant, not just one laptop. Do not use it as a one-off fix.
- Intune Account Protection (LocalUsersAndGroups) policies are device-scoped via group assignment. Prefer this over the directory role when you need to limit scope.
- Endpoint Privilege Management (EPM) is the modern, preferred approach โ it grants elevation for specific executables on demand rather than standing admin rights. Requires an Intune Suite or EPM add-on license.
- Permanent local admin weakens endpoint security. A compromised user account with local admin can disable Defender, install persistent malware, and extract credentials from LSASS.
- Propagation is not instant. Directory role changes can take up to 4 hours and require sign-out/sign-in. Intune policy application depends on the next device check-in (typically 8 hours, can be forced).
- Log and review. Every local admin grant should have a ticket, a justification, and a planned expiration or quarterly review.
Do not
- Do not RDP to the device and add the user to the Administrators group manually โ the change is invisible to Intune/Entra and will be overwritten by policy.
- Do not add users to the Global Administrator or Entra Joined Device Local Administrator roles to solve a single-device problem.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| RoleManagement.ReadWrite.Directory | Activate and assign members to the Microsoft Entra Joined Device Local Administrator directory role |
| DeviceManagementConfiguration.ReadWrite.All | Create and assign Intune Account Protection / LocalUsersAndGroups configuration policies |
| DeviceManagementManagedDevices.Read.All | Look up the target user's Intune-managed device(s) |
| User.Read.All | Resolve the target user's object ID and security identifier (SID) for policy payloads |
| Group.ReadWrite.All | Create or update the security group used to scope the Intune policy assignment |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin
For End Users
How an employee would ask Dex for help