cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Technical Takeoff
Nov 27 2023 07:00 AM - Nov 30 2023 11:30 AM (PST)
Microsoft Tech Community
LIVE
Find out more

Linking local admin account to Intune / AD

Louis_H440
Copper Contributor

‎Sep 21 2023 01:17 AM

‎Sep 21 2023 01:17 AM

Linking local admin account to Intune / AD

Hello, 

 

We are in the process of setting up Intune for our organisation and are working on designing the process for enrolling each user's device. Currently, each users' account is set up as a local admin account, and ideally we would find some way to link this to their AD account in intune. 

 

Does anyone know how to accomplish this? Simply enrolling the device via company portal doesn't connect the account it was enrolled from.

 

Thanks in advanced

1,051 Views
0 Likes
8 Replies
Reply
8 Replies
LeonPavesic

‎Sep 21 2023 05:51 AM

‎Sep 21 2023 05:51 AM

Re: Linking local admin account to Intune / AD

Hi @Louis_H440,

To link a local admin account to an AD account in Intune, you can use the following steps:

  1. Create a new user account in Azure AD for the local admin account. The user account must have the same username and password as the local admin account.
  2. Enable Azure AD Connect to synchronize the new user account to your on-premises Active Directory.
  3. Once the user account has been synchronized, you can enroll the device in Intune using the company portal.
  4. When the device is enrolled, Intune will create a new user account on the device using the Azure AD user account.
  5. Intune will also add the Azure AD user account to the local administrators group on the device.

Once the device is enrolled and the user account is linked to the AD account, the user will be able to log in to the device using their Azure AD credentials and will have local administrator privileges on the device.

Here are some additional things to keep in mind:

  • You can also use the Microsoft Endpoint Manager Admin Center to link a local admin account to an AD account. To do this, go to Devices > All devices > [Device name] > Account. Under Local admin account, click Link to Azure AD account.
  • If you are using a hybrid Azure AD environment, you must make sure that Azure AD Connect is configured to synchronize user accounts from your on-premises Active Directory to Azure AD.
  • Once a user account is linked to an AD account, the user cannot log in to the device using a local admin account.

    Here are some useful links you can use:
  • Manage local administrators for Azure AD joined devices: https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
  • Link a local admin account to an Azure AD account in Intune: https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic

1 Like
Reply
Louis_H440

‎Sep 21 2023 05:56 AM

‎Sep 21 2023 05:56 AM

Re: Linking local admin account to Intune / AD

Thanks for the quick response, @LeonPavesic! I'll test the process and get back to you.

1 Like
Reply
Abdullah_Ollivierre

‎Sep 25 2023 08:56 PM

‎Sep 25 2023 08:56 PM

Re: Linking local admin account to Intune / AD

wait a sec.. "Enable Azure AD Connect to synchronize the new user account to your on-premises Active Directory." can AAD Connect sync a cloud-only user back to on-prem ?
0 Likes
Reply
Abdullah_Ollivierre

‎Sep 25 2023 08:57 PM

‎Sep 25 2023 08:57 PM

Re: Linking local admin account to Intune / AD

so the process of Azure AD connect works only from on-premises to cloud. Whilst it is capable of things like password write back and device writeback, you cannot create users in Azure AD and sync them back to on-premises AD
1 Like
Reply
LeonPavesic

‎Sep 25 2023 11:19 PM

‎Sep 25 2023 11:19 PM

Re: Linking local admin account to Intune / AD

Hi @Abdullah_Ollivierre and @Louis_H440,

@Abdullah_Ollivierre  you are right, there is no way to link an existing local admin account to an AD account in Intune without using a third-party solution, unless you have an on-premises Active Directory environment and you can use Azure AD Connect to synchronize the local admin account to Azure AD (on-prem to cloud)

If you do not have an on-premises Active Directory environment, or if you do not want to use Azure AD Connect, then you will need to use a third-party tool to link the local admin account to the AD account.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic

0 Likes
Reply
rahuljindal-MVP

‎Sep 25 2023 11:29 PM - edited ‎Sep 26 2023 01:33 AM

‎Sep 25 2023 11:29 PM - edited ‎Sep 26 2023 01:33 AM

Re: Linking local admin account to Intune / AD

What is the rationale behind linking existing local admin account for enrolled device in the first place? Users should ideally not be given any admin privileges. If they need the elevation then consider using privilege management tools to do so.

0 Likes
Reply
Louis_H33

‎Sep 26 2023 12:45 AM

‎Sep 26 2023 12:45 AM

Re: Linking local admin account to Intune / AD

@rahuljindal-MVP  Seems people are discussing several different scenarios in this thread. Our specific use case however is migrating from another MDM to Intune. When users' devices are deregistered from the old MDM their accounts are converted to local accounts on the machine.

 

As for a general reason you may want to allow users to have local admin accounts, small company with large proportion of developers who you want to allow some flexibility when it comes to the tools they use 

0 Likes
Reply
rahuljindal-MVP

‎Sep 26 2023 03:54 AM

‎Sep 26 2023 03:54 AM

Re: Linking local admin account to Intune / AD

How are you migrating? As for the elevation of rights, there are multiple ways to address it. A couple of options that comes to my mind are Windows LAPS, EPM, Device admins based leveraging Entra ID roles + PIM, Account protection policies.
0 Likes
Reply