Forum Discussion

underQualifried's avatar
underQualifried
Brass Contributor
Apr 22, 2026

'Registering user becomes local admin on Joined Devices' - WHAT

Stumbled on a tenant with 'JOIN' available for all users. Haven't worked with this much - most tenants I see only have registration. But then I noticed the horrifying 'Registering user is added as local administrator on the device during Microsoft Entra join' option was ALSO set to ALL.

This is a tenant we just took on, but I've never seen that control before. This is terrifying, considering AFAIK, there is no real way for a registering user to know if they're registering or joining. Beneath it is an option to 'Manage Additional local administrators on all Microsoft Entra joined devices', which leads to the Role page for Device Administrators, which is empty.

Under Description, this describes what APPEARS to be to be the same thing mentioned in the previous control - 'Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra'. But no one is assigned this.

Conveniently, on my own tenant, I happened to let someone JOIN yesterday. We have this limited to 2 (now 3) people - most just register... But this user Joined, and the 'Joining user becomes local admin' option was on ALL. But I can't validate that the user ever become local admin. They don't have the role, their device shows as joined, but there's no additional roles. The audit logs don't look weird. They're not in that 'Device Administrators' group, which describes itself as 'Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra'.

 

Thoughts? Freaking out, honestly. We have a mix of DC and Cloud users. I've inherited them all, and had the understanding that Join was essentially registration but with Org ownership. I've tried to get some input from Copilot, but he has basically waffled between 'No, this setting is just badly named' and 'no, actually it's this other setting' and 'no, you know what, it all makes sense somehow'. 

 

1. Does that option actually set the joining user as global admin? Is that really the default setting?

2. can you validate this ANYWHERE in Entra? Or does it just disappear?

3. what is that Device Admin group? A separate group, independent of these two settings, that gives local admin?

4. Is there a graph endpoint that can be used to set this? 

 

Thanks

 

Administrator
Azure Active Directory (AAD)
device management

1 Reply

  • VasilMichev's avatar
    VasilMichev
    MVP
    Apr 23, 2026

    They are added as local admin on the device, not in Entra/M365. In other words, they will be added to the Administrators local group on the machine they performed the join with (you can confirm this under Local Users and Groups > Groups > Administrators). Nothing else.