Skip to content

Feature 21955 - Manage the local administrators on Microsoft Entra joined devices #708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
praneeth-0000 wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Feature 21955 - Manage the local administrators on Microsoft Entra joined devices #708

praneeth-0000 wants to merge 13 commits into from
+88 −18

Conversation

@praneeth-0000
Copy link
Collaborator

@praneeth-0000 praneeth-0000 commented Dec 15, 2025
edited
Loading

Rewrote the assessment logic as per new spec

  • Pass Scenario
Untitled design
  • Fail Scenario
image
  • Skip Scenario (When Intune license is present)
image

Closes #678

@praneeth-0000 praneeth-0000 self-assigned this Dec 15, 2025
@praneeth-0000 praneeth-0000 added the enhancement New feature or request label Dec 15, 2025
@alexandair
Copy link
Collaborator

alexandair commented Dec 15, 2025

@merill @ramical
If I understand the article in Remediation action section correctly, it's recommended to use Intune method and leave the tenant-wide role empty.

You can use Microsoft Entra groups to manage administrator privileges on Microsoft Entra joined devices with the Local Users and Groups mobile device management (MDM) policy. This policy allows you to assign individual users or Microsoft Entra groups to the local administrators group on a Microsoft Entra joined device, providing you with the granularity to configure distinct administrators for different groups of devices.
Organizations can use Intune to manage these policies using Custom OMA-URI Settings or Account protection policy.

The current test fails organizations that implemented this recommendation.

alexandair
alexandair reviewed Dec 15, 2025
View reviewed changes
Copy link
Collaborator

@alexandair alexandair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left the comment for @merill and @ramical to confirm if the spec is correct.

ramical
ramical reviewed Dec 17, 2025
View reviewed changes
ramical
ramical reviewed Dec 17, 2025
View reviewed changes
ramical
ramical requested changes Dec 17, 2025
View reviewed changes
Copy link
Collaborator

@ramical ramical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a couple of comments. Once you address, pls check in

@alexandair
Copy link
Collaborator

alexandair commented Dec 17, 2025

@merill @ramical If I understand the article in Remediation action section correctly, it's recommended to use Intune method and leave the tenant-wide role empty.

You can use Microsoft Entra groups to manage administrator privileges on Microsoft Entra joined devices with the Local Users and Groups mobile device management (MDM) policy. This policy allows you to assign individual users or Microsoft Entra groups to the local administrators group on a Microsoft Entra joined device, providing you with the granularity to configure distinct administrators for different groups of devices.
Organizations can use Intune to manage these policies using Custom OMA-URI Settings or Account protection policy.

The current test fails organizations that implemented this recommendation.

@ramical Any comment on this?

@ramical
Copy link
Collaborator

ramical commented Dec 18, 2025

Fair point and thanks for connecting the dogts. This is a great cross-pillar scenario where we can use some advice from our Intune specialist. @Clay-Microsoft wondering if you can weigh in? From Entra, we have policy plane to inject local admins to entra devices and seems that intune does too. So what's the best practice here?

@SagarSathe
Copy link
Collaborator

SagarSathe commented Jan 6, 2026

Fair point and thanks for connecting the dogts. This is a great cross-pillar scenario where we can use some advice from our Intune specialist. @Clay-Microsoft wondering if you can weigh in? From Entra, we have policy plane to inject local admins to entra devices and seems that intune does too. So what's the best practice here?

@Clay-Microsoft - Need you inputs on this.

@SagarSathe
Copy link
Collaborator

SagarSathe commented Jan 13, 2026

Response from Clay - "Account protection policies via Intune are generally the preferred and better path. That is what we recommend."

@alexandair alexandair requested a review from Copilot January 16, 2026 07:41
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR rewrites the assessment logic for Test-Assessment.21955 to check if local administrators on Microsoft Entra joined devices are properly managed by querying role assignments from the database instead of querying a device registration policy API endpoint.

Changes:

  • Replaced Graph API policy check with database query for Microsoft Entra Joined Device Local Administrator role assignments
  • Added detailed reporting tables showing active (permanent) and eligible role assignments with user/group details
  • Updated documentation to provide more comprehensive security threat context

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/powershell/tests/Test-Assessment.21955.ps1 Rewrote assessment logic to query vwRole database view for role assignments instead of device registration policy, added detailed reporting with tables for permanent and eligible members
src/powershell/tests/Test-Assessment.21955.md Expanded threat description with detailed attack scenario explanation, updated documentation link

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

alexandair
alexandair reviewed Jan 16, 2026
View reviewed changes
Copy link
Collaborator

@alexandair alexandair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@praneeth-0000
Please, address my feedback.

@alexandair alexandair self-requested a review February 5, 2026 22:50
alexandair
alexandair requested changes Feb 10, 2026
View reviewed changes
Copy link
Collaborator

@alexandair alexandair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@praneeth-0000 Please, address my feedback.

alexandair
alexandair approved these changes Feb 11, 2026
View reviewed changes
Copy link
Collaborator

@alexandair alexandair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@merill
Copy link
Collaborator

merill commented Feb 13, 2026
edited
Loading

After discussing the @ramical and @KalwaniRavi we've decided to make one more change to this test.

If the tenant has any Intune licenses, this test should be Skipped with the reason as 'Not applicable for tenants with Intune'. This is because the other intune test 'Local account usage on Windows is restricted to reduce unauthorized access' handles the scenario.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ramical ramical ramical requested changes

@alexandair alexandair alexandair approved these changes

@merill merill Awaiting requested review from merill

@SagarSathe SagarSathe Awaiting requested review from SagarSathe

Requested changes must be addressed to merge this pull request.

Assignees

@praneeth-0000 praneeth-0000

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Wrong Recommendation (Manage the local administrators on Microsoft Entra joined devices)

5 participants

@praneeth-0000 @alexandair @ramical @SagarSathe @merill