Managing Administrators on Azure AD Joined Devices

The Scope of this post is to cover the options you have available as an IT Pro to be able to control who has admin rights on an AAD Joined device. As you are probably aware when a user joins a device to AAD they become an admin of that specific device. If using Autopilot you can use an autopilot profile to provision the device and set the user who enrols to only have standard rights. Note: Global Admins always have admin rights on all AAD Joined devices.

Currently you can Add Additional Administrators to Azure AD Joined devices in the Azure Portal (Azure Active Directory > Devices > Device Settings) Note: This is a tenant wide setting and will apply to all azure ad joined devices.


We also have another option available to us which is to use the “RestrictedGroups” CSP in an Intune Custom Profile. There are two main advantages for using this method:

  1. You can assign the Policy to specific device groups rather than tenant wide.
  2. Any users which you do not include in the policy will be removed from the local administrators group when the policy is applied.

Steps to Implement


  • Under settings choose Add
  • Specify a name i.e. Restricted Groups
  • Specify the OMA-URI – ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
  • Data Type – String
  • Example String –
    <accessgroup desc=”Administrators”>
         <member name=”Administrator” />
         <member name = “AzureAD\” />


You can now assign the profile to the devices which you need.


Local Administrators Group BEFORE the policy is applied


Local Administrators Group AFTER the policy is applied


As you can see this is a great way to control the local administrators group on an Azure AD Joined device. I hope this post was useful, if you would like further information about the RestrictedGroups CSP then see the link below.