Swimming against the stream of all Azure Roles being available in the Roles and administrators pane of the Azure AD Portal, the Device administrator role is missing here.
Now, let’s explore how to add additional administrators to Azure AD-joined devices.
About Azure AD Join
Organization-owned Windows-based devices used to be joined to Active Directory. This is called domain-join. Now, in the age of cloud, organizations can opt to join devices to Azure AD, instead… or have Azure AD Connect synchronize domain-joined device objects to Azure AD, where these synchronized objects can be attached.This latter process is called Hybrid Azure AD Join, but went by the ‘Domain-join ++’ moniker for quite a while.
When Azure AD-joining a Windows 10-based device, a trust relationship is formed between the device and the Azure AD tenant of the organization. The Primary Refresh Token (PRT) that is configured for the Local Security Authority (LSA) provides single sign-on access to Azure AD-integrated resources, including Azure and Office 365.
About the Device administrator role
When Azure AD-joining a Windows 10-based device (not Hybrid Azure AD-joining a device) the user account for the person that performs the join is automatically configured with local administrator privileges.
By assigning the Device administrator role to other people, their user accounts also gain local administrator privileges when they sign into Azure AD-joined devices. This role is useful for service desk personnel and other persons who are responsible for all device-oriented support within the organization.
The Device administrator role used to be available in the Roles and administrators pane of the Azure AD Portal, but it is no longer there.
To assign Device administrator role privileges
The new way to assign Device administrator role privileges is on the Device Settings pane. Follow these steps to assign Device administrator role privileges:
- Navigate your browser to the Azure AD Portal.
- Sign in with an account that has Global administrator privileges.
Perform multi-factor authentication, when prompted.
- In the left navigation pane, click Azure Active Directory.
- In Azure Active Directory's navigation pane, click Devices.
- In the Devices navigation pane, click Device settings.
- Change the selection for the Additional local administrators on Azure AD joined devices option from None to Selected.
- Click the No member selected text below the option.
The Local administrators on devices blade appears.
- On the Local administrators on devices blade, click the + Add button.
The Add members blade appears.
- Type the name of the person whose account you want to have local administrator privileges on all Azure AD-joined devices. Click the Select button at the bottom of the blade to select the account to select the user object and close the blade.
- On the Local administrators on devices blade, click the + Add button to add additional user accounts to the role and repeat the previous step to do so.
- Click OK at the bottom of the Local administrators on devices blade to save your selection and close the blade.
- At the top of the Device Settings pane, click Save to save your settings.
There is a very good reason why the Device administrator role is not in the Roles and administrators pane of the Azure AD Portal: this functionality is Premium functionality and only available in Azure AD tenants with at least one Azure AD Premium P1 and/or Azure AD Premium P2 subscription license (or a license suite that includes either of these licenses). In non-Premium Azure AD tenants, the Additional local administrators on Azure AD joined devices option is not available.
Adding this role to the Roles and administrators pane would make it too easy to circumvent the license restriction. The downside however, is that you cannot assign a group to the Device administrator role.