Additional Local Administrators on Azure AD Joined devices with Privileged Identity Management (PIM)

-

Back in May 2021, I had published a blog post on setting local admin account using different options available in Intune. While the methods covered in the post still hold up, there is another option available natively in Azure that can be used to setup additional local administrators on Azure AD joined devices. The option involves using Additional local administrators on all Azure AD joined devices feature in Azure which I didn't cover at the time because of its limitations. Primary limitation being that the user accounts added as additional local admin, also get added to all AAD joined devices. However, while exploring alternatives to a LAPS like solution for a customer recently, I stumbled upon Azure AD role Azure AD Joined Device Local Administrator. The possibility of using it together with Privileged Identity Management (PIM) within Additional local administrators on all Azure AD joined devices feature intrigued me and I just had to try it out.

Why Azure AD Joined Device Local Administrator role?

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:

- The Azure AD global administrator role
- The Azure AD joined device local administrator role
- The user performing the Azure AD join

With the help of Azure AD joined device local administrator role, one can elevate the permissions for the support staff like L2 Service desk temporarily. This can be achieved using Just-in-time capabilities within PIM while ensuring the security best practice of least privilege model is also met. There are some licensing requirements which will need to be considered of course. Namely -

- Azure AD roles can be assigned to the group feature against groups for role assignment will require an Azure AD Premium P1 license. 

- Privileged Identity Management for just-in-time role activation, will need an Azure AD Premium P2 license.

Let's get to setting things up.

Enable Azure AD roles can be assigned to the group feature

If not already enabled, setup a new group containing the list of intended members of the support staff and enable the option Azure AD roles can be assigned to the group, as shown below.


Privileged Identity Management

In order to use Just-in-time access against the members of the Azure AD joined device local administrator role, we will be utilizing PIM to control the assignments. 

1. Navigate to Privileged Identity Management blade in Azure.
2. Click Azure AD roles.
3. Click the Assign Eligibility button and then select Azure AD Joined Device Local Administrator from the list of roles.


4. Select Add Assignments and specify the group holding the list of service desk users who will need access to this role regularly. 

5. Click the Settings button to edit\configure the maximum duration for the role, justification, ticket number and approvers. Tip: Assignments that can be activated without approval might create a security risk from administrators who have a lower level of permissions. It is recommended to use an approval process.

Time to test

A member assigned with the role will request for the access through PIM.

The approver will receive an email and will approve the request providing the justification.



Once approved, the user will get added as an additional local admin in Azure Portal under Device Administrators automatically.


Now according to Microsoft, updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when both the following actions take place:

- Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
- User signs out and signs back in, not lock/unlock, to refresh their profile.

However, in my testing, logged in as a standard user (pilotuser2), I could see that the permissions for the test account pilotuser3 got elevated almost immediately and a new PRT based on UTC time was issued.


You can check for the PRT by running dsregcmd /status. Also notice that PS is running in admin mode and as pilotuser3.


But the same didn't happen when the permissions were revoked by PIM. The permissions only got revoked when the 2 conditions mentioned above were satisfied. This was observed on both Windows 10 and Windows 11 operating systems running latest patched versions.

Another thing to note is that users won't be listed in the local administrator group. The permissions are received through the Primary Refresh Token and initiated by PIM.


Conclusion

If you are ready to live with the delays involving the revoking of the permissions, then I think using Azure AD Joined Device Local Administrator role together with PIM is an excellent way to allow your IT support staff with low level rights to perform elevated tasks. According to Microsoft, fixing these delays is in works so this may very well become a viable solution in addition to LAPS which is supposedly also in works.

Comments

  1. RanjFebruary 15, 2023 at 11:30 AM

    Hi
    This feature is really useful, I noticed there isn't much documented from MS about this feature....Unless I have missed the link

    I wonder if this would work in AVD? We have a number of 'admins' who temporarily need access to install applications within an AVD device, a JIT approach would be great rather than all the time local admin access which goes against the recommended zero trust model.

    The only issue I see is my understanding is if a user is provided this PIM privilege and elevates their access, whilst there are mechanism to add justification, ticket number etc there's nothing stopping that user going to another AADJ device and performing local admin tasks on there. Is that correct? Once allowed it would allow this for all AADJ devices (PHY or VIR)?

    Thanks

    ReplyDelete
    Replies
    1. Rahul JindalJanuary 25, 2024 at 9:28 PM

      I haven’t tested on AVD, but have you considered using EPM instead?

      Delete
  2. renukaMarch 13, 2024 at 4:41 AM


    Impressive Article. Thanks for sharing.
    Azure DevOps Training Online
    Azure DevOps Online Training
    Azure DevOps Online Training in Hyderabad
    Azure DevOps Course Online
    Microsoft Azure DevOps Online Training
    Azure DevOps Training in Hyderabad
    Azure DevOps Training
    Azure DevOps Training in Ameerpet

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more