Starting with Windows 10 version 20H2, you can use Azure AD groups to manage local administrator group privileges on Azure AD-joined devices with the Local Users and Groups MDM policy. Organizations can use Microsoft Intune to manage these policies using Custom OMA-URI Settings or Account Protection Policy.
Note: Azure AD is now Entra ID.
As of now following local groups can be managed using the Local Users and Groups MDM policy.
- Administrators
- Users
- Guests
- Power Users
- Remote Desktop Users
- Remote Management Users
In this blog post, we will see how to manage local administrator members on Azure AD (Entra ID) joined devices using Azure AD Group and Intune Local Users and Group MDM policy.
Create an Azure AD Group
We will create an Entra ID (Formerly Azure AD) Security Group. We will be added to the local administrator group on AAD-joined devices. Using AAD group simplifies the management as you simply need to add the user to the AAD group to provide them local admin rights on devices.
Create an Azure AD group with below details.
- Group Type: Security
- Group Name: IT – Helpdesk
- Azure AD roles can be assigned to the group: Select Yes.
- Membership Type: Assigned
- Members: Add the user if you want to add any at this point of time.
Follow the Create Azure AD Group if you need any help in creating the group.
Create Account Protection Policy to manage Local Administrators Group Membership Using Intune
The next step is to create an account protection policy. To create a local users group membership policy, you need to log in to the Intune portal endpoint.microsoft.com
- Navigate to Endpoint Security
- Select Account protection
- Click on + Create Policy to start the policy creation process
- From Create a profile, select the following
- Platform: Windows 10 and later
- Profile: Local user group membership
- Click on Create

Enter the Name and Description for the profile and click on Next to move to Configuration Settings.

On the Configuration Settings page, select all required settings. The following settings are available and need to be selected.
Local Group:
Select Administrator as we are adding users / AAD group to the local admin group in this example.
Other local groups that can be managed by Local Users and Group MDM policy are: Users, Guest, Power Users, Remote Desktop Users, and Remote Management Users.
Local Group and user action:
The local group and user management policy have two actions available. They are called Update (U) and Replace / Restrict (R).
- Update Group Membership: Update a group and add/remove members. When using update, existing group members that are not specified in the policy remain untouched.
- Replace Group Membership: Restrict a group by replacing group membership. When using Replace, existing group membership is replaced by the list of members specified in the policy. Any member not specified in the policy is removed.
In Microsoft Intune, you need to select one of the following options.
- Add (Update) : Add members to the specified group. The other member already present in the local group will not be touched.
- Remove (Update): Remove members from the specified group. The other members already in a group and not listed in the policy will remain intact.
- Add (Replace): Replace the existing members of the group with the members provided in the policy.
User Selection Type:
- Users / Groups: Allow you to select Azure AD users / Azure AD groups
- Manual: Allow you to add the following
- Username
- Domain\Username
- SID (Security Identifier)
Selected users / groups:
Select Users / Groups or provide details manually based on User Selection Type.

On the Assignment page, you can assign the policy to Azure AD group, All users, or All devices based on your requirement. Since we are doing this in the test environment, we selected All devices. You can also use Assignment Filters for more granular targeting of policy.
Click on Next.

On the Review + create, review the details and click on the Create button to create the policy.

Result
To verify the result, perform the steps below on one of the targeted devices.
- Launch Compmgmt.msc
- Navigate to Local Users and Groups / Groups
- Double click on Administrator
- Verify if required AAD groups/users are now members of the local Administrator group.
The highlighted SID is for the Azure AD group that we have selected in the Local User and Group policy.

Related Posts
- Block USB Device Access with Exceptions | Microsoft Intune
- Deny Write Access to USB Devices Using Intune Catalog Settings
- Manage Windows Local Administrator Password with Intune & Windows LAPS
- Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune
- How to manage the local administrators group on Azure AD joined devices | Intune
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.