Microsoft Entra ID · Hardware & Devices
Microsoft Entra Joined Device Local Administrator
Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices.
Scope: Local administrator privileges on all Microsoft Entra joined Windows devices
Permissions
- Local administrator on Entra joined devices
- Read group settings
- Read group setting templates
Common use cases
- Device troubleshooting
- Software installation
- Local device management
- IT support scenarios
Best practices
- Use sparingly - prefer Intune policies
- Audit local admin usage
- Consider Just-in-Time access via PIM
Security considerations
- Grants local admin on ALL joined devices
- Can bypass Intune policies locally
- Should be time-limited via PIM