Microsoft Entra ID · Hardware & Devices
Microsoft Entra Joined Device Local Administrator
Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices.
Scope: Local administrator privileges on all Microsoft Entra joined Windows devices
Permissions
- Local administrator on Entra joined devices
- Read group settings
- Read group setting templates
Common use cases
- Device troubleshooting
- Software installation
- Local device management
- IT support scenarios
Best practices
- Use sparingly - prefer Intune policies
- Audit local admin usage
- Consider Just-in-Time access via PIM
Security considerations
- Grants local admin on ALL joined devices
- Can bypass Intune policies locally
- Should be time-limited via PIM
Common questions
When should I assign the Microsoft Entra Joined Device Local Administrator role?
Assign Microsoft Entra Joined Device Local Administrator when you need to: Device troubleshooting; Software installation; Local device management; and IT support scenarios. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Microsoft Entra Joined Device Local Administrator role do?
The Microsoft Entra Joined Device Local Administrator role grants permissions including: Local administrator on Entra joined devices; Read group settings; and Read group setting templates. See the Permissions section above for the full list.
What are the security risks of the Microsoft Entra Joined Device Local Administrator role?
Key considerations when assigning Microsoft Entra Joined Device Local Administrator: Grants local admin on ALL joined devices; Can bypass Intune policies locally; and Should be time-limited via PIM. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.