Azure Active Directory Restricted Permissions in Devices

@Matias Vazquez, Thanks for posting in Q&A.

For our device, I would like to know if the devices are enrolled into Intune. If yes, then we can remove the user’s admin permission by configuring local user group membership via Intune. Here is a link with more details:

techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

Based as I know, for windows devices, there are many enrollment method we can choose. For the one you use, it seems to be Automatic enrollment via MDM. For this method, based as I know, the enroll user will join into local administrator automatically.

learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods

If you want to the user to be a standard user, you can consider Autopilot method. In this enrollment method, we can configure “User account type” as standard, then the enrolled user will be a standard user on the device. Here is a link with more details:

learn.microsoft.com/en-us/mem/autopilot/profiles

Hope it can help.


If the answer is helpful, please click “Accept Answer” and kindly upvote it. If you have extra questions about this answer, please click “Comment”.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Read more here: Source link