Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Migrate from on Premise to Azure AD without intune

Copper Contributor

Hello everyone,

I'm starting to migrate small clients that have AD / Fileserver to Office 365 / Azure AD

I have already managed to migrate the entire fileserver to sharepoint and some users are already logging into Azure AD (I do not intend to have a hybrid installation. It will be 100% Azure AD)

But I am not able to configure users to be restricted users on their computers. Everyone is as a local admin. Can I do this without having to purchase Intune?

14 Replies
By default users are local admin when:
They enroll into AAD from OOBE
They enroll into AAD from the settings app

If you don't want users to become local admin when they provision there computer, you need Intune

Even though: I wouldn't recommend managing AAD joined computers without Intune. Sooner or later you will need central management to push out security features, updates or applications

@Thijs Lecomte  but is there a way to add users as restrict users?

Like AD On Premise?

No, AAD doesn't have management of PC's included
You need to Intune license for that

@Thijs Lecomte tks for reply.

 

But is there a way to have restrict users without Intune (i just need this feature)

Using Premium AD for example.

 

What functionality are you after exactly?

Hello @Thijs Lecomte 

 

What I care about is having users logged into a cloud domain with restricted permission. As a domain controller with no GPO. I will connect to this computer using TeamViewer and install the software using domain admin user

Whether a user is a local admin (and can install software) is entirely dependent on the way the device is enrolled - https://microscott.azurewebsites.net/2018/08/31/managing-windows-10-with-intune-the-many-ways-to-enr...

@Thijs Lecomte 

 

OK,

But I want him not to be a local admin.
Just as it is not today with my domain controller on premise

 

Check the link I provided, the second columns designates whenever the user is a local admin if he joins the device to AAD

Hello @Thijs Lecomte 

 

I am using Azure AD + Intune + Autopilot

 

But, when the first user login. Thiw user will be a local administrator.

You can configure this in the Autopilot profile =>
https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-autopilot#create-an-autopilot-depl...
The setting is 'User account type'

Hello @Thijs Lecomte 

 

I did this.

User like Standard user

 

But the first user to log on is going automatically to local administrator group.

 

Then your device isn't going through Autopilot or your profile isn't assigned right

Hi @Thijs Lecomte 

 

I believe I found the solution. I created an administrative user on my Azure AD and first logged on with it. This user has been placed in the administrators group. From there, the new users are not administrators, but restricted users. It was very simple to do and I don't need any license for Intine or any other software