How to Add an Azure AD Group to Your Local Administrator Group: A Step-by-Step Guide

The progression to LocalUsersandGroups policy

From the release of Windows 10 version 20H2, Microsoft suggests using the LocalUsersandGroups policy as a replacement for the RestrictedGroups policy to structure members of Windows local groups, such as Azure AD groups. As per Microsoft, the member Security Identifier (SID) can pertain to a user account, an AD, or an Azure AD group.

I’m inclined not to employ RestrictedGroups because it replaces the standard members of the Administrators group, for instance the Global Administrator and the Device Administrator. It is vital to make sure that these default members are deliberately included into the RestrictedGroups policy while setting it up.

Obtaining the SID of an Azure AD group

We must use the group SID to add or remove Azure AD groups using this policy.

The SID of an Azure AD group can be easily found using

Graph Explorer.

From Azure AD, get the Object ID of the group you want to add and query the group in Graph Explorer to get the SID, as shown below.

https://graph.microsoft.com/v1.0/groups/<ObjectID_of_the_group>

Querying the AAD Group Object ID

There are two ways to add the AAD group to the local admin group: the Custom Configuration Profile or the Account Protection Local Users and Group MDM policy.

Custom Configuration Profile

For method one, follow these steps:

1. Sign in to the Endpoint Manager admin center
2. Navigate to Devices > Windows
3. Create a new Configuration Profile for Windows 10 and later
4. Choose Custom as the profile type
5. Define the configuration settings, including the local group SID, group name, and group members.
6. Assign the profile to a security group with devices
7. Test the configuration

Below is an example configuration that includes default members (local Administrator account, Global Administrator, and Device Administrator with SIDs) and the SID of the AAD group (Local_Admins_AAD).

<groupmembership>
	<accessgroup desc="Administrators">
		<member name="Administrator" />
		<member name="S-1-12-1-1732094191-1225030262-2093628596-1982031183" />		<member name="S-1-12-1-3293531080-1078674397-111521436-3834162110" />		<member name="SID_of_Local_Admins_AAD" />
	</accessgroup>
</groupmembership> 

Account Protection Policy

The account protection method employed in Endpoint security is broken down in the ensuing steps.

1. Sign in to the Endpoint Manager admin center.
2. Proceed to Endpoint Security > Account protection.
3. Select the + symbol, then click on Create Policy to initiate the policy creation process.
4. From Create a profile, designate the following:
   • Platform: Windows 10 or later
   • Profile: Local user group membership
5. Select Create.
6. Key in an appropriate name and a description for the profile and then click on Next.
7. On the Configuration Settings page, there are numerous settings for selection:
8. Local Group: This pertains to the local group you wish to modify. Choose Administrators, as we will add the AAD group to the pre-existing admin group.
9. Group and User Action: This is where the required action is determined. There are three options available:

• • Add (Update)
  • Remove (Update)
  • Add (Replace)
• Here are a few pointers when deciding the best course of action:
  Choose Add (Update) to augment a group by adding members that won’t affect the members already there.
  Opt for Remove (Update) when intending to update a group by taking out members without affecting the ones currently there.
  Choose Add (Replace) when replacing the present group members with the list of members specified in the policy. Any member not specified in the policy will be removed.

8. User Selection Type: Two options are available:

• • Users / Groups: Choose this option to select Azure AD users/group

  • Manual: Choose this option if you want to add the members using the below format:

    • Username

    • DomainUsername

    • SID (Security Identifier)

    In the example below, the Users/Groups option was selected, choosing the EUC Admin group to add to the built-in Administrators group.

9. Click Next, and on the Assignment page, assign the policy to a selected Azure AD group, all users, or all devices based on your requirements. In the test environment, it was selected for all devices. For more granular policy targeting, you also have the option of using Assignment Filters. Click Next.

10. After reviewing the details, click the Create button.

The Result

On the next policy sync, Intune will push the policy to the targeted devices and add the group to the Built-in Administrator local group. To verify the outcome, follow the below steps on one of the targeted devices.

1. Click Start > Run > type lusrmgr.msc to launch Local Users and Groups
2. Click on Groups

   Local Users and Groups

3. Double-click on Administrators. This is how the local Administrator group looks before the policy is applied.

   Before the policy is applied

   After the policy is applied

   Once the policy applies, you can see that a new SID has been added as a member of the Administrator group, thereby granting local admin rights to all group members.

Conclusion

The article outlines a method for adding an Azure Active Directory (Azure AD) group to the local administrators group on Windows 10 and Windows 11 devices, emphasizing the shift to using the LocalUsersandGroups policy for enhanced security and management. It details the process of obtaining the SID for an Azure AD group and incorporating it into either a Custom Configuration Profile or Account Protection Policy via the Endpoint Manager admin center. This approach allows for dynamic management of local administrator privileges, leveraging Azure AD groups to streamline access control on Windows devices.