Forum Discussion
AzureAd\xxxx user as local admin seems not to be dynamic
Hello. I am not sure if this is the correct place. The question is: I have an account protection that enables a Azure groupX as local admin in w11. I have a AzureAd\userX than belongs to the groupX in Entra Id. That works fine. But If I remove the AzureAd\userX from de Entra id groupX (and close the local session) the userX still have admin permission. The opposite is the same. Nothing changes unitl I remove the local profile in the w11 for AzureAd\userX.
It seems something remain in the profile and w11 is not capable for reading dynamically Entra id groups.
It is a rare behaviour. The problem is that in my company this is in production now and the workaround for some users that are moving to another department have issues with the userX (wich act as admin, instead the ordinary user they logon interactively)
Any idea? Thank in advance.
Regards
2 Replies
Thanks, rogerval.
It is what I have seen. I wanted the confirmation of one expert.
Windows 11 caches local group membership for Azure AD users inside the local profile. When the user is added or removed from an Entra ID group, the change is not reflected until the profile is recreated.
This is expected behavior today.
Why it happens:
- Windows caches tokenGroups for cloud user accounts.
- The cached values do not refresh until the next interactive sign-in with a clean profile.
- Removing the user from the group does not remove the cached local admin SID.
Workarounds:
- Delete the local user profile → forces group membership refresh.
- Use the new Windows LAPS with cloud policy (dynamic admin privileges).
- Move to Azure AD Joined + Privileged Access Groups if possible.
It’s a known limitation and affects scenarios where Entra groups are used for local admin rights.
