Control: 5.1.4.3 Ensure the GA role is not added as a local administrator during Entra join
Description
This setting controls whether the Global Administrator role is automatically added to the local administrators group on a device during the Microsoft Entra join process.
The recommended state is No.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Entra ID>DevicesselectDevice settings. - Set
Global administrator role is added as local administrator on the device during Microsoft Entra join (Preview)toNo.
Default Value
Yes.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_3 --shareSQL
This control uses a named query:
select tenant_id || '/' || id as resource, case when azure_ad_join -> 'localAdmins' is null then 'ok' when (azure_ad_join -> 'localAdmins' -> 'enableGlobalAdmins') is null then 'ok' when not ((azure_ad_join -> 'localAdmins' -> 'enableGlobalAdmins')::bool) then 'ok' else 'alarm' end as status, case when azure_ad_join -> 'localAdmins' is null then tenant_id || ' has Global Administrator role not added as local administrator during Entra join (setting not configured, default behavior).' when (azure_ad_join -> 'localAdmins' -> 'enableGlobalAdmins') is null then tenant_id || ' has Global Administrator role not added as local administrator during Entra join (enableGlobalAdmins not set).' when not ((azure_ad_join -> 'localAdmins' -> 'enableGlobalAdmins')::bool) then tenant_id || ' has Global Administrator role not added as local administrator during Entra join.' else tenant_id || ' has Global Administrator role added as local administrator during Entra join.' end as reason , tenant_id as tenant_idfrom azuread_device_registration_policy;