How do I break into a computer that is Azure joined as a non-admin account?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,427
I have a client who's owners are young whipper snappers and they will occasionally try to setup a new employee on an existing Azure joined device without involving me.

When you unbox a computer for the first time and Azure join it through Windows setup the initial account created is an Azure joined account with local admin privileges.

The issue is, if this employee is terminated and an additional Azure licensed account is added to the computer that next account is added as a standard user so can't install anything.

The original employees account is then decommissioned and now the computer has a local admin account that is not able to login, and a standard account that can't install anything.

I don't have my RMM on any of these systems, Non-MSP.

The only way I was able to get around it was to reinstate the original employees terminated local admin account, then use the command:

net localgroup administrators AzureAD\JohnDoe /add
Click to expand...

To promote the new user a local admin, then decommission the original account again. I then added a backdoor local admin account.

What can be done in the future to avoid this rudimentary process of regaining local admin without all of the above?

Yes I understand giving users local admin is not best practice but for small companies sometimes this is inevitable if they need to install a printer or something.
 
If you don't have Intune, you're stuck doing the same thing we always did...

PC Unlocker or something equivalent to make a local admin account, and go from there.

The process above does work, and if it's the only local admin you've got, and you have no RMM / Intune... well that's the best you've got too.
 
If you login with the M365 domain admin account, doesn't that give you local admin rights on the PC as well?
 
tek9 said:
If you login with the M365 domain admin account, doesn't that give you local admin rights on the PC as well?
Click to expand...

Do not believe so but in the above post per @YeOldeStonecat it looks like that option can be made.

@YeOldeStonecat do you know if these switches are turned on if they work retroactively on existing devices or will they only apply this settings to entra joined devices moving forward?
 
Turns out add Global Admin as local administrator is is turned on by default ... very possibly maybe I just never tried to login with my credentials in this scenario.
 
thecomputerguy said:
Do not believe so but in the above post per @YeOldeStonecat it looks like that option can be made.

@YeOldeStonecat do you know if these switches are turned on if they work retroactively on existing devices or will they only apply this settings to entra joined devices moving forward?
Click to expand...
I just had to do 1x of those today...to show our helpdesk guy, had a laptop had been setup by a user...that is no longer at this client. That user, since it was the first one used to join the laptop to AzureAD...had been local admin. The "replacement user"...her profile had been added to the laptop but by Microsoft design it was not a local admin. So I went in and added her from Entra. However it does take...(at least today)...quite a few hours to ripple in down to the workstation...so yes it works on existing devices, just takes a while.

Also don't forget to change primary user in Entra (or in InTune..doesn't matter which)
I don't do the "log in with a GA account" since I have InTune policies in place to automate a lot, and...I don't prefer to burn a Biz Prem license on a GA account.
 
Last edited:
It happens on an Intune policy push, which is ~8 hours unless forced, and will "only force" when the machine is AAD joined AND the user logging in passes the M365 license check for Intune during login.

That's one of Intune's primary failings... the performance of policy updates is suboptimal.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Why is this happening when trying to register new computer with a work or school account?
Replies
9
Views
1K
thecomputerguy
thecomputerguy
thecomputerguy
New clients MFA is all out of whack and not sure how to fix it.
2 3 4
Replies
60
Views
5K
Rosco
Rosco
HCHTech
GoDaddy M365 account as MS account for computer?
Replies
7
Views
2K
Diggs
Diggs
Appletax
[SOLVED] How do I make an image of a computer to deploy to other computers?
Replies
2
Views
543
Appletax
Appletax
H
Is there anything I can do here?
Replies
3
Views
956
frase
frase
Back
Top