Login to the PC as the Azure AD user you want to be a local admin. This gets the GUID onto the PC.
Log out as that user and login as a local admin user.
Open a command prompt as Administrator and using the command line, add the user to the administrators group. As an example, if I had a user called John Doe, the command would be net localgroup administrators AzureAD\JohnDoe /add.
Wil je vanuit azure been gebruiker admin maken?
Simon does Five Approaches For Local Admin Access On The Azure AD Joined PC
There is a feature in Intune to configure local user group membership settings for Windows devices. This can be granularly assigned to devices and groups and will thus be a better approach than the previously mentioned device administrator role.
This setting can be found in the Intune admin center under Endpoint Security – Account Protection. Select Create Policy and choose Windows 10 or later – Local user group membership.
The policy should be given an appropriately descriptive name and description.
In the next window, we can configure the rules to manage the local group.
The actions we can use are as follows:
- Add (Update), which adds members to the group in addition to the current members in the group.
- Remove (Update), which removes certain members from the group.
- Add (Replace), which replaces all members of the group. This action will take precedence if multiple rules are targeting the same group! This action will also target the challenge of manually adding local admin accounts, as mentioned later in this article.
If you are dealing with AAD-joined devices only, you can select the user/group to assign, as shown in the picture above. If you have Hybrid joined devices, you have to select the manual way of selecting users/groups.
Separate user accounts for this purpose are preferable. You can add an extra layer of security if you assign the rights to privileged access groups (role-assignable AAD groups) with Azure AD Privileged Identity Management (PIM). This will give just-in-time privileges.
This policy can now be assigned to device groups targeting the selection of devices scoped for local administration by the configured user accounts.
After the devices syncs with Intune, we can confirm the new configuration in the local Administrators group.
This will be a good approach for help desk users and power users, but it will still conflict with the practice of using the least privileged access since one credential can have constant privileged access to several devices.
Vergeet ook niet te Syncen met Intune Active AD
Manually Sync Intune Policies on Windows Devices using Settings App
You can manually sync to refresh Intune policies on Windows devices using the Settings App. On your device, select Start > Settings. Select Accounts.
Under Accounts, select Access work or school. Select the account that has a briefcase icon next to it. Click Info.
Under Device Action status, click Sync. This will sync the latest security policies, network profiles and managed applications from Intune.
Note: You can force Intune policy sync on multiple computers using a PowerShell script to refresh Intune Policies. However, you must go with a PowerShell script when you want to get Intune to re-evaluate a large number of devices against the changed policies.
Ref: https://www.prajwaldesai.com/manually-sync-intune-policies-windows-devices/