How do I add Azure Active Directory User to Local Administrators Group

With Windows 10 you can join an organisation (=Azure Active Directory) and login with your cloud credentials.

Based on the information provided here the first account per computer that joins the organisation is a local administrator. The accounts that join after that are not.

How do I make them local administrators?

The standard group add dialog does not allow me to select users from AzureAD, search from users from AzureAD. I simply can see that my first account is in the list (listed as AzureAD\AccountName).

Interesting is also: When I login with the second account and get prompted for a local administrator (for applying computer settings - UAC I assume) it will not accept the first account even though it is a local administrator.

Alex Duggleby

Posted 2015-10-05T09:22:52.233

Reputation: 283

you need to change the accepted answer... Chris Angell has the simple 1-liner command line that makes everything work right – ckozl – 2016-03-24T02:46:33.727

Answers

You can do this via command line! I just had this same issue and after searching and getting nothing but "you can't" from everywhere, I (for giggles and grins) tried this through the command line and IT WORKED!!

Login to the PC as the Azure AD user you want to be a local admin. This gets the GUID onto the PC.
Log out as that user and login as a local admin user.
Open a command prompt as Administrator and using the command line, add the user to the administrators group. As an example, if I had a user called John Doe, the command would be "net localgroup administrators AzureAD\JohnDoe /add" without the quotes.

Log back in as the user and they will be a local admin now.

Chris Angell

Posted 2015-10-05T09:22:52.233

Reputation: 436

What about filesystem permissions? Is there any way to use the GUI for filesystem permissions? – Monstieur – 2016-08-02T05:37:46.100

You could maybe use fileacl for file permissions? – munrobasher – 2017-01-11T19:28:55.480

4Step 2: You don't have to log out+ log in as local admin. From any account you can open CMD as admin (it will ask for admin credentials if needed). Then next time that account logs in it will pull the new permissions. – Hicsy – 2017-08-18T05:02:16.153

@Monstieur I created a local (user) group with no one in it (called $MYUSERNAME_user), added the AD user with the above instructions, then used the GUI to add the local group (and therefore the user) for filesystem permissions. It's a kluge, but it works. Probably not good for a widely-used system lest someone add more users to the local group, but adequate for a single-user workstation. – Keith Robertson – 2019-10-23T21:01:46.560

My experience is also there is no option available to add a single AAD account to the local adminstrator group. What you can do is add additional administrators for ALL devices that have joined the Azure AD. You can do his through the azure console on https://manage.windowsazure.com for which you need an AAD license). You can find this option by clicking on your tenant name and click on the 'configure' tab. Look for the 'devices' section.

This means that two AAD users can not be local admin on the same device at the same time, unless one of the users is a global admin for all devices... In the case the windows machine has to change owner, that needs also local admin rights on the specific machine, you need to de-join from AAD and re-join using the new owner user account.

I tried this and to my surprise the built-in local administrator did not have permissions to join Azure AD. Clicking the button didn't give any reply. Only after adding another local administrator account and log in locally with that user I could start the join process. In the login screen I specified the Azure AD/0365 user. That one became local admin correctly.