Linking local admin account to Intune / AD

Copper Contributor

Hello, 

 

We are in the process of setting up Intune for our organisation and are working on designing the process for enrolling each user's device. Currently, each users' account is set up as a local admin account, and ideally we would find some way to link this to their AD account in intune. 

 

Does anyone know how to accomplish this? Simply enrolling the device via company portal doesn't connect the account it was enrolled from.

 

Thanks in advanced

8 Replies

Hi @Louis_H440,

To link a local admin account to an AD account in Intune, you can use the following steps:

  1. Create a new user account in Azure AD for the local admin account. The user account must have the same username and password as the local admin account.
  2. Enable Azure AD Connect to synchronize the new user account to your on-premises Active Directory.
  3. Once the user account has been synchronized, you can enroll the device in Intune using the company portal.
  4. When the device is enrolled, Intune will create a new user account on the device using the Azure AD user account.
  5. Intune will also add the Azure AD user account to the local administrators group on the device.

Once the device is enrolled and the user account is linked to the AD account, the user will be able to log in to the device using their Azure AD credentials and will have local administrator privileges on the device.

Here are some additional things to keep in mind:

  • You can also use the Microsoft Endpoint Manager Admin Center to link a local admin account to an AD account. To do this, go to Devices > All devices > [Device name] > Account. Under Local admin account, click Link to Azure AD account.
  • If you are using a hybrid Azure AD environment, you must make sure that Azure AD Connect is configured to synchronize user accounts from your on-premises Active Directory to Azure AD.
  • Once a user account is linked to an AD account, the user cannot log in to the device using a local admin account.

    Here are some useful links you can use:
  • Manage local administrators for Azure AD joined devices: https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
  • Link a local admin account to an Azure AD account in Intune: https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic

Thanks for the quick response, @LeonPavesic! I'll test the process and get back to you.

wait a sec.. "Enable Azure AD Connect to synchronize the new user account to your on-premises Active Directory." can AAD Connect sync a cloud-only user back to on-prem ?
so the process of Azure AD connect works only from on-premises to cloud. Whilst it is capable of things like password write back and device writeback, you cannot create users in Azure AD and sync them back to on-premises AD

Hi @Abdullah_Ollivierre and @Louis_H440,

@Abdullah_Ollivierre  you are right, there is no way to link an existing local admin account to an AD account in Intune without using a third-party solution, unless you have an on-premises Active Directory environment and you can use Azure AD Connect to synchronize the local admin account to Azure AD (on-prem to cloud)

If you do not have an on-premises Active Directory environment, or if you do not want to use Azure AD Connect, then you will need to use a third-party tool to link the local admin account to the AD account.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic

What is the rationale behind linking existing local admin account for enrolled device in the first place? Users should ideally not be given any admin privileges. If they need the elevation then consider using privilege management tools to do so.

@rahuljindal-MVP  Seems people are discussing several different scenarios in this thread. Our specific use case however is migrating from another MDM to Intune. When users' devices are deregistered from the old MDM their accounts are converted to local accounts on the machine.

 

As for a general reason you may want to allow users to have local admin accounts, small company with large proportion of developers who you want to allow some flexibility when it comes to the tools they use 

How are you migrating? As for the elevation of rights, there are multiple ways to address it. A couple of options that comes to my mind are Windows LAPS, EPM, Device admins based leveraging Entra ID roles + PIM, Account protection policies.