AAD Just in time/JIT for Local Administrator group on workstations

%3CLINGO-SUB%20id%3D%22lingo-sub-2856234%22%20slang%3D%22en-US%22%3EAAD%20Just%20in%20time%2FJIT%20for%20Local%20Administrator%20group%20on%20workstations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2856234%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%20if%20this%20is%20the%20wrong%20forum..%20happy%20to%20move%20to%20the%20correct%20if%20required.%3C%2FP%3E%3CP%3EHi!%20I'm%20looking%20to%20remove%20all%20users%20from%20having%20Local%20Administrator%20(hang%20over%20from%20an%20Azure%20join)%20on%20their%20workstations.%20Some%20users%20do%20still%20require%2Fdemand%20this%20and%20I%20have%20to%20be%20able%20to%20cater%20for%20this%20so%20that%20the%20business%20buy%20into%20the%20change.%3C%2FP%3E%3CP%3EMy%20thoughts%20are%20to%20purchase%20AAD%20P2%20licenses%20and%20just%20Just%20In%20Time%20to%20grant%20access%20to%20an%20Azure%20group%20that%20will%20be%20within%20the%20workstation%20'administrators'%20group.%20Is%20this%20something%20that%20anyone%20has%20had%20experience%20of%2Fhas%20read%20a%20blog%2Fquestion%20has%20already%20been%20asked%20and%20answered%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2856234%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20and%20Access%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Sorry if this is the wrong forum.. happy to move to the correct if required.

Hi! I'm looking to remove all users from having Local Administrator (hang over from an Azure join) on their workstations. Some users do still require/demand this and I have to be able to cater for this so that the business buy into the change.

My thoughts are to purchase AAD P2 licenses and just Just In Time to grant access to an Azure group that will be within the workstation 'administrators' group. Is this something that anyone has had experience of/has read a blog/question has already been asked and answered please?

1 Reply
Ok, so reviewing my own question and what's available within AAD, this looks more PIM than JIT related. Will need to see if AAD Groups can be updated and not just role membership,