Control: 5.1.4.4 Ensure local administrator assignment is limited during Entra join

Description

This setting determines if the Microsoft Entra user registering their device as Microsoft Entra join be added to the local administrators group. This setting applies only once during the actual registration of the device as Microsoft Entra join.

The recommended state is Selected or None.

Remediation

To remediate using the UI:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
Click to expand Entra ID > Devices select Device settings.
Set Registering user is added as local administrator on the device during Microsoft Entra join (Preview) to Selected (and add members) or None.

Default Value

All.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_4 --share

SQL

This control uses a named query:

select
  tenant_id || '/' || id as resource,
  case
    when azure_ad_join -> 'localAdmins' is null then 'ok'
    when azure_ad_join -> 'localAdmins' -> 'registeringUsers' is null then 'ok'
    when azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.enumeratedDeviceRegistrationMembership'
      or azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.noDeviceRegistrationMembership' then 'ok'
    else 'alarm'
  end as status,
  case
    when azure_ad_join -> 'localAdmins' is null then tenant_id || ' has local administrator assignment limited during Entra join (setting not configured, default behavior).'
    when azure_ad_join -> 'localAdmins' -> 'registeringUsers' is null then tenant_id || ' has local administrator assignment limited during Entra join (registeringUsers not set).'
    when azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.enumeratedDeviceRegistrationMembership' then tenant_id || ' has local administrator assignment limited to selected users or groups during Entra join.'
    when azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.noDeviceRegistrationMembership' then tenant_id || ' has local administrator assignment disabled (none) during Entra join.'
    else tenant_id || ' has local administrator assignment allowed for all users during Entra join.'
  end as reason
  , tenant_id as tenant_id
from
  azuread_device_registration_policy;

Control: 5.1.4.4 Ensure local administrator assignment is limited during Entra join

Description

Remediation

Default Value

Usage

SQL

Tags