Forum Discussion
'Registering user becomes local admin on Joined Devices' - WHAT
Stumbled on a tenant with 'JOIN' available for all users. Haven't worked with this much - most tenants I see only have registration. But then I noticed the horrifying 'Registering user is added as local administrator on the device during Microsoft Entra join' option was ALSO set to ALL.
This is a tenant we just took on, but I've never seen that control before. This is terrifying, considering AFAIK, there is no real way for a registering user to know if they're registering or joining. Beneath it is an option to 'Manage Additional local administrators on all Microsoft Entra joined devices', which leads to the Role page for Device Administrators, which is empty.
Under Description, this describes what APPEARS to be to be the same thing mentioned in the previous control - 'Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra'. But no one is assigned this.
Conveniently, on my own tenant, I happened to let someone JOIN yesterday. We have this limited to 2 (now 3) people - most just register... But this user Joined, and the 'Joining user becomes local admin' option was on ALL. But I can't validate that the user ever become local admin. They don't have the role, their device shows as joined, but there's no additional roles. The audit logs don't look weird. They're not in that 'Device Administrators' group, which describes itself as 'Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra'.
Thoughts? Freaking out, honestly. We have a mix of DC and Cloud users. I've inherited them all, and had the understanding that Join was essentially registration but with Org ownership. I've tried to get some input from Copilot, but he has basically waffled between 'No, this setting is just badly named' and 'no, actually it's this other setting' and 'no, you know what, it all makes sense somehow'.
1. Does that option actually set the joining user as global admin? Is that really the default setting?
2. can you validate this ANYWHERE in Entra? Or does it just disappear?
3. what is that Device Admin group? A separate group, independent of these two settings, that gives local admin?
4. Is there a graph endpoint that can be used to set this?
Thanks
2 Replies
Hello underQualifried
The setting (“Registering user is added as local administrator…”) does not make the user a Global Administrator or grant any role in Microsoft Entra ID. What it does is very specific: when a user performs a Microsoft Entra Join on a device, they are added as a local administrator on that device only. This does not show up as a role assignment in Entra, it does not appear under “Device Administrators,” and it typically does not generate audit log entries as a role change.
The reason you can’t validate this in the portal is exactly that: this is not a directory permission, but a change applied directly on the Windows device at the time of the join. The only reliable way to confirm it is on the device itself, by checking the local Administrators group (for example, using Get-LocalGroupMember -Group "Administrators").
As for “Device Administrators,” that is a completely separate concept. This Entra role grants local administrator rights on all Entra-joined devices in a centralized and governable way (including support for PIM). In contrast, the setting you encountered applies only at the moment of join and only to that specific device.
That said, your concern is valid. If the environment allows all users to perform Entra Join and this option is set to “All,” then any user can join a device (including a personal one) and automatically become a local administrator on that machine. This does not impact directory privileges directly, but it does introduce risk in BYOD scenarios and reduces endpoint governance.
In summary, the naming is more alarming than the actual behavior. It does not grant Entra privileges; it simply assigns a local Windows permission at join time. From a security standpoint, it is recommended to restrict who can perform Entra Join and consider setting this option to “None,” managing administrative access instead through Intune and appropriate roles.
Microsoft Learn: https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin
They are added as local admin on the device, not in Entra/M365. In other words, they will be added to the Administrators local group on the machine they performed the join with (you can confirm this under Local Users and Groups > Groups > Administrators). Nothing else.
