Preventing Automatic Addition of Global Administrators to Local Administrators Group [CHK-1166]
This check ensures that the feature to automatically add Global Administrators to the Local Administrators group on new Windows devices is disabled in Entra ID.
Rationale
An attacker gaining access to an account with local admin rights on all devices can quickly move from one system to another, potentially taking control over the core of the IT environment, especially if the account also has global admin rights. Therefore, it is safer to assign these rights specifically, rather than adding global administrators to the local admin group.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to the Entra portal at https://entra.microsoft.com
- Go to Devices > All Devices > Device Settings
- Check if the setting Global administrator role is added as local administrator on the device during Microsoft Entra join (preview) is disabled
- Click Save
Impact
As a result of this change, administrators may no longer have local admin rights on their PC or that of colleagues. If they do need admin rights, they will need to be explicitly added to the global administrators group on the specific system per endpoint, or be added to a specific central role that exists for the specific task of local administration.