Zehadi Alam
Introduction
To simplify and centralize the management of local administrators across devices, organizations can leverage Azure Active Directory security groups. By adding an Azure AD security group to the local Administrators group on Windows devices, any users that are members of the Azure AD group will gain local admin rights when signing in. The following section demonstrates the process of configuring and deploying a local user group membership policy within the Intune environment.
Implementation
Navigate to Endpoint Security Account Protection
Select Create Policy
Select Windows 10 and later for Platform and Local user group membership for Profile. Click Create at the bottom.
Select Administrators for Local group, Add (Update) for Group and user action, and User/Groups for User selection type. Next, select the Azure security group containing the users who are to be local administrators. This should be the group containing the Z-Accounts that are used to sign in to Intune.
Once the configurations have been established, proceed through the remaining steps and assign the policy to the appropriate device groups. Carefully review the policy settings before finalizing its creation.
After the policy has been successfully applied to the targeted devices, any user within the Azure security group can sign in to the device and exercise local admin rights. This is not applicable for devices that are hybrid Azure AD joined.