Additional Local Administrators on Azure AD Joined devices with Privileged Identity Management (PIM)


Back in May 2021, I had published a blog post on setting local admin account using different options available in Intune. While the methods covered in the post still hold up, there is another option available natively in Azure that can be used to setup additional local administrators on Azure AD joined devices. The option involves using Additional local administrators on all Azure AD joined devices feature in Azure which I didn't cover at the time because of its limitations. Primary limitation being that the user accounts added as additional local admin, also get added to all AAD joined devices. However, while exploring alternatives to a LAPS like solution for a customer recently, I stumbled upon Azure AD role Azure AD Joined Device Local Administrator. The possibility of using it together with Privileged Identity Management (PIM) within Additional local administrators on all Azure AD joined devices feature intrigued me and I just had to try it out.

Why Azure AD Joined Device Local Administrator role?

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:

- The Azure AD global administrator role
- The Azure AD joined device local administrator role
- The user performing the Azure AD join

With the help of Azure AD joined device local administrator role, one can elevate the permissions for the support staff like L2 Service desk temporarily. This can be achieved using Just-in-time capabilities within PIM while ensuring the security best practice of least privilege model is also met. There are some licensing requirements which will need to be considered of course. Namely -

- Azure AD roles can be assigned to the group feature against groups for role assignment will require an Azure AD Premium P1 license. 

- Privileged Identity Management for just-in-time role activation, will need an Azure AD Premium P2 license.

Let's get to setting things up.

Enable Azure AD roles can be assigned to the group feature

If not already enabled, setup a new group containing the list of intended members of the support staff and enable the option Azure AD roles can be assigned to the group, as shown below.


Privileged Identity Management

In order to use Just-in-time access against the members of the Azure AD joined device local administrator role, we will be utilizing PIM to control the assignments. 

1. Navigate to Privileged Identity Management blade in Azure.
2. Click Azure AD roles.
3. Click the Assign Eligibility button and then select Azure AD Joined Device Local Administrator from the list of roles.


4. Select Add Assignments and specify the group holding the list of service desk users who will need access to this role regularly. 

5. Click the Settings button to edit\configure the maximum duration for the role, justification, ticket number and approvers. Tip: Assignments that can be activated without approval might create a security risk from administrators who have a lower level of permissions. It is recommended to use an approval process.

Time to test

A member assigned with the role will request for the access through PIM.

The approver will receive an email and will approve the request providing the justification.



Once approved, the user will get added as an additional local admin in Azure Portal under Device Administrators automatically.


Now according to Microsoft, updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when both the following actions take place:

- Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
- User signs out and signs back in, not lock/unlock, to refresh their profile.

However, in my testing, logged in as a standard user (pilotuser2), I could see that the permissions for the test account pilotuser3 got elevated almost immediately and a new PRT based on UTC time was issued.


You can check for the PRT by running dsregcmd /status. Also notice that PS is running in admin mode and as pilotuser3.


But the same didn't happen when the permissions were revoked by PIM. The permissions only got revoked when the 2 conditions mentioned above were satisfied. This was observed on both Windows 10 and Windows 11 operating systems running latest patched versions.

Another thing to note is that users won't be listed in the local administrator group. The permissions are received through the Primary Refresh Token and initiated by PIM.


Conclusion

If you are ready to live with the delays involving the revoking of the permissions, then I think using Azure AD Joined Device Local Administrator role together with PIM is an excellent way to allow your IT support staff with low level rights to perform elevated tasks. According to Microsoft, fixing these delays is in works so this may very well become a viable solution in addition to LAPS which is supposedly also in works.

Comments

  1. Hi
    This feature is really useful, I noticed there isn't much documented from MS about this feature....Unless I have missed the link

    I wonder if this would work in AVD? We have a number of 'admins' who temporarily need access to install applications within an AVD device, a JIT approach would be great rather than all the time local admin access which goes against the recommended zero trust model.

    The only issue I see is my understanding is if a user is provided this PIM privilege and elevates their access, whilst there are mechanism to add justification, ticket number etc there's nothing stopping that user going to another AADJ device and performing local admin tasks on there. Is that correct? Once allowed it would allow this for all AADJ devices (PHY or VIR)?

    Thanks

    ReplyDelete
    Replies
    1. I haven’t tested on AVD, but have you considered using EPM instead?

      Delete

  2. Impressive Article. Thanks for sharing.
    Azure DevOps Training Online
    Azure DevOps Online Training
    Azure DevOps Online Training in Hyderabad
    Azure DevOps Course Online
    Microsoft Azure DevOps Online Training
    Azure DevOps Training in Hyderabad
    Azure DevOps Training
    Azure DevOps Training in Ameerpet

    ReplyDelete
  3. Great article! You've covered in such an engaging way. I found the part about digital marketing particularly compelling. It aligns with some of the content we've produced atour websites, where we explore digital marketing. Would love to get your feedback!
    Digital Marketing Training In Hyderabad
    Digital Marketing Course In Hyderabad
    Digital Marketing Training In Ameerpet
    Digital Marketing Institute In Hyderabad
    Digital Marketing Online Training In Hyderabad

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Prevent users from running certain programs or applications on Windows endpoints using Intune