Local administrator priviliges not working after adding security group to local admin group

For those that stumble across this in the future, I had the same issue. Was using PIM with a customer, elevated to "Microsoft Entra Joined Device Local Administrator" but the device wasn't picking this up, even after an hour.

I then found this:

https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/

Particularly this section:

"If the account had previously logged into the device when you assign device administrator permissions, the account won’t be an admin until a new Azure AD primary refresh token is issued—AND when the user logs off and back on to get the new token. This could take up to four hours, but in my testing it never took that long."

Following that link took me here:

https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

The Primary Refresh Token needed to be refreshed. There aren't any fantastic ways to do it, but that page says changing the login password and logging in again will refresh it. So I changed my password in M365, logged out and back into Windows 11 with the new password, and bingo – local admin.

If I waited 4 hours for the refresh, probably would have been fine, but I didn't have 4 hours to wait. Not an ideal solution, but it may help others.