Utilizing Identity Governance to delegate local admin permissions for Hybrid and Azure AD Joined devices
Note: I am not a security expert. I do not know the security practices used in your environment. This article outlines a process that can impact the local Administrators group on devices in your environment. I HIGHLY recommend reviewing the steps in this article in the context of the security practices in your environment before implementing this process.
Microsoft recently updated Endpoint Security with the Local User Group policy. This policy provides a native interface to add users and groups to windows devices through the LocalUsersAndGroups CSP. This allows administrators to add Azure AD Groups to local groups on Hybrid Azure AD joined devices. An Azure AD group’s membership can then be populated using an Access Package in Identity Governance, allowing users to give themselves temporary Local Admin access on-demand.
For this system to work, you need a few things in place:
- Azure AD Group
- Local User Group policy in Intune
- Identity Governance Access Package in Azure AD
Azure AD Group
This step is documented pretty well by Microsoft.
- Navigate to Intune
- Select the Groups blade on the left.
- Click + New Group
- Add a name, description, and owner as needed
- click Create
(Optional) Grab the SID of this AAD Group
In the upcoming Local User Group policy in Intune section, we will change the standard User selection type from the default setting . Microsoft intends to allow administrators to select AAD Groups or Users when creating these policies. This seems to be broken in my environment, and an error is presented after selecting the users or groups. Because of this, the upcoming instructions will direct you to change the setting to Manual, and supply the SID of the Azure AD Group that was previously created. This article by Daniil Michine outlines how to find the SID of an Azure AD Group using Graph API Explorer.
Local User Group policy in Intune
- Navigate to Intune
- Select the Endpoint Security blade
- Select Account Protection blade within Endpoint Security
- Click + Create Policy
Creating the policy
- Select Windows 10 and later in the Platform dropdown
- Select Local user group membership (Preview) in the Profile dropdown
- Click Create
Naming the policy
- Give your policy a name and description, and click Next
Configuring the policy
- Leave the first 2 dropdown boxes in their default selections
- The third box can remain Users/Groups if an error is not encountered after selecting a user or group.
- Change the User selection type dropdown to Manual
- Click the Add users link
- Click + Add
- Paste the SID of your AAD Group in to the field, and click Ok
- Click Next
- Add a group for assignment, and click **Next
- Add a scope tag for the policy, and click Next
- Click Create after reviewing the policy
Identity Governance Access Package in Azure AD
If you are unfamiliar with Access Packages, you can learn more from this tutorial from Microsoft. Access Packages allow administrators to delegate access of resources to the end user. The Access Package adds the end user as a member to the targeted AAD Group. This membership can expire after a set duration, and automatically remove the user from the AAD Group. Users can submit a request to access the resource at myaccess.microsoft.com once they are assigned the Access Package.
Navigating Azure AD
- Navigate to aad.portal.azure.com
- Click the Azure Active Directory blade
- Click the Identity Governance blade in Azure Active Directory
- Click Access Packages under Entitlement management
- Click + New acess package
Naming your Access Package
- Give your Access package a name and description, and select the Catalog the package belongs to, and click Next: Resource roles >
- If you plan to create many of these packages, you can create a new catalog specifically for all of your local admin Access Packages
- Click + Groups and Teams, select the previously created AAD group, and click Select
- If the group doesn’t show up immediately, click the checkbox above the search bar to see all AAD Groups
- Click Next: Requests >
Note: From this point forward, all of the configurations will highly depend on your organization’s security posture. I will be providing the barebone settings to make this work. Please carefully review the settings within the Access Package to ensure you are maintaining a secure environment.
- Select For users in your directory
- Select Specific users and groups
- Click + Add users and groups, and select the desired users or groups that will have access to complete this request
- Leave Require approval as No
- Change Enable new requests to Yes
- Click Next: Requestor Information >
Creating request questions
- Create a question to ask users, if desired
- Click Next: Lifecycle >
Configuring request lifecycle
- In Expiration, specify how long you want the requesting user to be a member of the resource targeted with the Access Package.
- My recommendation is to select Number of hours (Preview), and enter 2 in the Assignments expire after (number of hours) field
- Select the Access Review value that your organization requires. No will be selected for the purposes of this article.
- Click Next: Rules >
Configuring custom integrations
- Specify any if/then logic that will apply for any stage of the request process, then click Next: Review + create >
- Review the configuration of the Access Package, then click Create
Now that the access package is created and assigned to a user, the user can navigate to myaccess.microsoft.com. They will see the Access Package that was just created, and can fill out a request. If any approval is required for the request, the necessary users will be notified that they need to approve/deny the request. Assuming it is approved, the user will be added to the group. The group was added to the Administrators group on the user’s machine from the Intune policy. The user can now act as a local admin on their system. After 2 hours, they will be notified that their access has expired, and be prompted to renew the request.
This Access Package is HIGHLY customizable, and the Custom Extensions can interact with logic/function apps in your environment to send notifications to webhooks in Slack/Teams, or perform a plethora of other actions. This workflow allows administrators the ability to add users and groups to groups on both Azure AD-joined and Hybrid Azure AD-Joined systems managed by Intune, and could potentially replace LAPS in some scenarios
Hey, I’m working on implementing this (great idea btw), but I want to clarify on the assignment group of the actual Account Protection policy. Is this to be the same group that you provided the SID for? In your case the Demo Group? Or should the assignment group be something different? Just seems like doubling up otherwise.
For the assignment of the Account Protection Policy, you would add the user or device group that you want to receive the policy. You likely want the Access Package and the Account Protection policy to be assigned to the same group, so you can ensure that the same set of devices are receiving both policies.
Awesome, thanks for the speedy reply man! So far the tests have worked great! Can’t wait to peel back antiquated local admin exception implementations in our environment! Thanks for all this!
Worth noting, Microsoft has recently released both the Endpoint Privilege Management tool and Windows LAPS. Endpoint Privilege Management will only be free while in Public Preview, and will be locked behind an add-on subscription once it hits GA, but could replicate the actions of this method.