Using Intune to manage local group memberships – Manage identity and compliance

Device Management Tasks, Microsoft MD-102 Exam, Monitor device compliance, Thought experiment answers Using Intune to manage local group memberships – Manage identity and compliance
Lourdes Nunez 25/10/2023 0 Comments

In an on-premises domain, it’s usual for the domain administrator to want to manage group membership on domain-joined computers. In a cloud context, it’s also desirable for administrators to be able to manage the membership of groups on Azure AD joined computers. To manage local group memberships on Azure AD joined computers, you use Intune. Specifically, you create an Account protection policy in Endpoint Security settings.

Use the following procedure:

  1. Open the Microsoft Intune admin center.
  2. In the navigation pane, select Endpoint security and click Account protection.
  3. In the details pane, click Create Policy.
  4. On the Create a profile page, in the Platform list, select Windows 10 and later.
  5. In the Profile list, select Local user group membership.
  6. Click Create.
  7. In the Create profile wizard, enter a name on the Basics tab and click Next.
  8. On the Configuration settings tab, displayed in Figure 2-20, select the local group in the dropdown, and then configure the required settings. For example, choose Administrators, select Add (update), and choose the required users or groups you want to add from your Azure AD tenant.

FIGURE 2-20 Adding Azure AD users to local groups

  1. Click Next, and configure any scope tags.
  2. Click Next and then assign the policy to the appropriate device group.
  3. Click Next and then click Create.

Implement and manage LAPS for Azure AD

Password management for administrator accounts on AD DS or Azure AD–joined computers is a significant problem for Windows administrators. Implementing Local Administrator Password Solution (LAPS) is one solution.

LAPS enables you to secure and help protect your Windows devices’ local admin passwords. Features include the ability to back up passwords and auto-rotate passwords. You must configure two related settings to enable and use LAPS in your Azure AD tenant:

  • Enable LAPS in Microsoft Entra
  • Configure LAPS using Intune

Enabling LAPS in Microsoft Entra

Before you can implement LAPS, you must enable it within your Azure AD tenant. You do this using the Microsoft Entra admin center. Use the following procedure:

  1. Open Microsoft Entra admin center.
  2. Expand Azure Active Directory in the navigation pane.
  3. Expand Devices and then select All devices.
  4. Click Device settings.
  5. Under the Local administrator settings heading, as shown in Figure 2-21, turn on the Enable Azure AD Local Administrator Password Solution (LAPS) setting.

FIGURE 2-21 Enabling Azure AD Local Administrator Password Solution for your tenant

Leave a Reply

Your email address will not be published. Required fields are marked *