@merill @ramical
If I understand the article in Remediation action section correctly, it's recommended to use Intune method and leave the tenant-wide role empty.

You can use Microsoft Entra groups to manage administrator privileges on Microsoft Entra joined devices with the Local Users and Groups mobile device management (MDM) policy. This policy allows you to assign individual users or Microsoft Entra groups to the local administrators group on a Microsoft Entra joined device, providing you with the granularity to configure distinct administrators for different groups of devices.
Organizations can use Intune to manage these policies using Custom OMA-URI Settings or Account protection policy.

The current test fails organizations that implemented this recommendation.

@merill @ramical If I understand the article in Remediation action section correctly, it's recommended to use Intune method and leave the tenant-wide role empty.

You can use Microsoft Entra groups to manage administrator privileges on Microsoft Entra joined devices with the Local Users and Groups mobile device management (MDM) policy. This policy allows you to assign individual users or Microsoft Entra groups to the local administrators group on a Microsoft Entra joined device, providing you with the granularity to configure distinct administrators for different groups of devices.
Organizations can use Intune to manage these policies using Custom OMA-URI Settings or Account protection policy.

The current test fails organizations that implemented this recommendation.

@ramical Any comment on this?

Fair point and thanks for connecting the dogts. This is a great cross-pillar scenario where we can use some advice from our Intune specialist. @Clay-Microsoft wondering if you can weigh in? From Entra, we have policy plane to inject local admins to entra devices and seems that intune does too. So what's the best practice here?

Fair point and thanks for connecting the dogts. This is a great cross-pillar scenario where we can use some advice from our Intune specialist. @Clay-Microsoft wondering if you can weigh in? From Entra, we have policy plane to inject local admins to entra devices and seems that intune does too. So what's the best practice here?

@Clay-Microsoft - Need you inputs on this.

Response from Clay - "Account protection policies via Intune are generally the preferred and better path. That is what we recommend."

After discussing the @ramical and @KalwaniRavi we've decided to make one more change to this test.

If the tenant has any Intune licenses, this test should be Skipped with the reason as 'Not applicable for tenants with Intune'. This is because the other intune test 'Local account usage on Windows is restricted to reduce unauthorized access' handles the scenario.