AzureAd\xxxx user as local admin seems not to be dynamic

Windows 11 caches local group membership for Azure AD users inside the local profile. When the user is added or removed from an Entra ID group, the change is not reflected until the profile is recreated.

This is expected behavior today.

Why it happens:

• Windows caches tokenGroups for cloud user accounts.
• The cached values do not refresh until the next interactive sign-in with a clean profile.
• Removing the user from the group does not remove the cached local admin SID.

Workarounds:

• Delete the local user profile → forces group membership refresh.
• Use the new Windows LAPS with cloud policy (dynamic admin privileges).
• Move to Azure AD Joined + Privileged Access Groups if possible.

It’s a known limitation and affects scenarios where Entra groups are used for local admin rights.