Add an Azure AD group to the local administrators group with Microsoft Intune

This is a follow-up post on the post about managing the local administrators group – Azure AD joined devices. In that post I already showed how the local administrators group on a Windows 10 machine can be managed with Microsoft Intune (Microsoft Endpoint Manager), but I only showed how to add Azure AD user accounts to the administrators group.

But as described on Microsoft docs, also Azure AD Groups are supported;

The member SID can be an user account or a group in AD, Azure AD, or on the local machine.

Even tough this Configuration Services Provider (CSP) policy is added in Windows 10 1809, I wasn`t able to get this to work with an AAD group during my previous tests (on Windows 10 1909). But as Microsoft is near the release of Windows 10 2004, I gave that OS version a try, and with succes!

I was able to add an Azure AD group to the local administrators group of an AAD joined device, using the SID.

This a welcome additional option on managing the local administrators group, as it simplifies managing members of the local administrators group.

In this post I show how to add an Azure Active Directory group to the local administrators group.

Some notes to take into account; this policy overwrites the default members of the Administrators group. By default the Global Administrator and Device Administrator (roles) are member of the local Administrators group. If you only want to add a group to the Administrators group and not want to remove the default groups, don`t forget to add the Global Administrator and Device Administrator to your policy. And add the local Administrator account to the policy, otherwise it fails.
As these roles are added to the local Administrator group by SID, take note of these before you overwrite these.

Get the SID of an Azure Active Directory group

The first thing we need to have is the SID of the Azure Active Directory group. This can be done via Graph API/ Explorer or by running a PowerShell command which I found on this site.

By using the Grap Explorer it`s very easy to find the Security identifier.
Query the group using the ID and it shows the SID.

An alternative which I actually used at first, when I wasn`t aware of the SID in Graph, was running below PowerShell command.
It converts the object ID (in the case of the AAD group) to a SID.
First connect to Azure AD using PowerShell:
Connect-AZureAD

After that run below command:

function Convert-ObjectIdToSid
{
    param([String] $ObjectId)

    $d=[UInt32[]]::new(4);[Buffer]::BlockCopy([Guid]::Parse($ObjectId).ToByteArray(),0,$d,0,16);"S-1-12-1-$d".Replace(' ','-')
}

Next run the conversion command. In this example I query all Azure AD groups from which the name starts with local.

Get-AzureADGroup -SearchString "Local" | ForEach { [pscustomobject] @{ Name= $_.DisplayName; Sid=Convert-ObjectIdToSid($_.ObjectId)}}

Note the SID of the group which you want to add to the local administrators group. In my case it`s the SID of the group Local_Admins_AAD.

Configure the Custom Configuration profile

  • Choose Windows 10 and later as Platform
  • Choose Custom as Profile type
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click the Settings tab
  • Click Add

In the value field we set which group membership we like to manage and define the group members.
<accessgroup desc> contains the local group SID or group name.
<member name> contains the group members to add to the local group.

In the example, I add the default members of the group to the policy; the local Administrator account, the Global Administrator and Device Administrator (with the SID). And I add the SID of my AAD group Local_Admins_AAD.

Enter below information to the Row;
Name: RestrictedGroups – ConfigureGroupMembership
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
Data Type: String
Value:

<groupmembership>
	<accessgroup desc = "Administrators">
		<member name = "Administrator" />
		<member name = "S-1-12-1-2934938113-1096209395-2588194479-178906382" />
		<member name = "S-1-12-1-766653809-1274192161-2093628596-1982031183" />
		<member name = "S-1-12-1-3293531080-1078674397-111521436-3834162110" />
	</accessgroup>
</groupmembership>

Click OK (twice) and click Create.

Assign the profile to a security group and your ready for testing.

The end result

The end result is the default members are still member of the local Administrators group. Besides these accounts and SID, we now also see the extra SID of the Azure AD group. This provides the members of the AAD group local administrator rights.

That`s it for this blog post. Thank you for reading!




8 Comments

  1. Hi, thx for this post. You wrote this is only for 2004. But which build? I tested it on 19041.207 without luck. Should it work there?

      • strange, it isn’t working on my w10 machine with 10.0.19041.207. I have only applied the “Administrator” and the SID of my Local_Admin Group but not the Global Admin and Device Administrator but this should be no problem right?

        • Have not tested that setup yet. Will give it a try later, but assume that should also work.

          What I have seen is that sometimes if you sign in with an account which is member of the applied group for the first time, the administrator rights are not active. The second time you sign-in, it does work.

  2. Great post Peter.
    I tried this setting on a fresh 10.0.19041.207 build and the policy sort of works.
    The Administrator group will be modified as of my policy, where I, besides the extra group, added Administrator, the Device Administrator role’s SID and the Global Administrator Role’s SID.

    The thing is, after the policy is applied, none of the users are local admin anymore, not the device admins, not the global admins and also not the users in the extra group, so I’m really curious why this does work in your setup and not in mine.

    • I just tried this again, but instead of using the Groupname “Administrators”, I used group SID of the “Administrators” group, since that SID is always the same: S-1-5-32-544

      Now al the users of this group have local admin permissions. 🎉

Leave a Reply

Your email address will not be published.


*