Microsoft Entra ID Series: Disable Entra ID Users Local Admin Privilege Become Normal Users (Demote local admin privilege)

This articles is about to ensuring that users do not have unnecessary administrative privileges. The background is start from one of my POC request that require each user do not have local admin privileges. This policy talk about when you login to windows onprem (Microsoft Entra joined) using entra ID account, it is automatically become local user only not local administrator.

Why Disable Local Admin Privileges?

1. Minimize Security Risks: Local admin rights can be misused by attackers to install malware or access sensitive information.
2. Prevent Unauthorized Software Installation: Limiting privileges helps in preventing the installation of unauthorized software, reducing the risk of malware.
3. Enhance Compliance: Many compliance standards require organizations to limit administrative access to only those who need it.

Just follow this setup :

Then you can login using the email.

And you do not have the local admin privilege.

Local admin privileges provide users with extensive access to their devices, which can be exploited by malicious actors if compromised.