Forum Discussion
Louis_H440
Sep 21, 2023Copper Contributor
Linking local admin account to Intune / AD
Hello,
We are in the process of setting up Intune for our organisation and are working on designing the process for enrolling each user's device. Currently, each users' account is set up as a local admin account, and ideally we would find some way to link this to their AD account in intune.
Does anyone know how to accomplish this? Simply enrolling the device via company portal doesn't connect the account it was enrolled from.
Thanks in advanced
- rahuljindal-MVPBronze Contributor
What is the rationale behind linking existing local admin account for enrolled device in the first place? Users should ideally not be given any admin privileges. If they need the elevation then consider using privilege management tools to do so.
- Louis_H33Copper Contributor
rahuljindal-MVP Seems people are discussing several different scenarios in this thread. Our specific use case however is migrating from another MDM to Intune. When users' devices are deregistered from the old MDM their accounts are converted to local accounts on the machine.
As for a general reason you may want to allow users to have local admin accounts, small company with large proportion of developers who you want to allow some flexibility when it comes to the tools they use
- rahuljindal-MVPBronze ContributorHow are you migrating? As for the elevation of rights, there are multiple ways to address it. A couple of options that comes to my mind are Windows LAPS, EPM, Device admins based leveraging Entra ID roles + PIM, Account protection policies.
- LeonPavesicSilver Contributor
Hi Louis_H440,
To link a local admin account to an AD account in Intune, you can use the following steps:
- Create a new user account in Azure AD for the local admin account. The user account must have the same username and password as the local admin account.
- Enable Azure AD Connect to synchronize the new user account to your on-premises Active Directory.
- Once the user account has been synchronized, you can enroll the device in Intune using the company portal.
- When the device is enrolled, Intune will create a new user account on the device using the Azure AD user account.
- Intune will also add the Azure AD user account to the local administrators group on the device.
Once the device is enrolled and the user account is linked to the AD account, the user will be able to log in to the device using their Azure AD credentials and will have local administrator privileges on the device.
Here are some additional things to keep in mind:
- You can also use the Microsoft Endpoint Manager Admin Center to link a local admin account to an AD account. To do this, go to Devices > All devices > [Device name] > Account. Under Local admin account, click Link to Azure AD account.
- If you are using a hybrid Azure AD environment, you must make sure that Azure AD Connect is configured to synchronize user accounts from your on-premises Active Directory to Azure AD.
- Once a user account is linked to an AD account, the user cannot log in to the device using a local admin account.
Here are some useful links you can use: - Manage local administrators for Azure AD joined devices: https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
- Link a local admin account to an Azure AD account in Intune: https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
- Abdullah_OllivierreCopper Contributorso the process of Azure AD connect works only from on-premises to cloud. Whilst it is capable of things like password write back and device writeback, you cannot create users in Azure AD and sync them back to on-premises AD
- JaxsDaddy469Copper ContributorCorrect but this can be accomplished with the Intune Connector
- Abdullah_OllivierreCopper Contributorwait a sec.. "Enable Azure AD Connect to synchronize the new user account to your on-premises Active Directory." can AAD Connect sync a cloud-only user back to on-prem ?
- Louis_H440Copper Contributor
Thanks for the quick response, LeonPavesic! I'll test the process and get back to you.