azuread_account_provisioning_activity_report_reviewedazuread_admin_consent_workflow_enabledazuread_admin_user_mfa_enabledazuread_administrative_account_on_premises_sync_disabledazuread_all_user_mfa_enabledazuread_audit_log_search_enabledazuread_authentication_method_email_otp_disabledazuread_authentication_method_microsoft_authenticator_mfa_fatigue_protectionazuread_authentication_method_restrict_insecure_methodsazuread_authorization_policy_accessing_company_data_not_allowedazuread_conditional_access_block_device_code_flowazuread_conditional_access_block_signin_risk_medium_highazuread_conditional_access_require_managed_device_for_authenticationazuread_conditional_access_require_managed_device_register_security_infoazuread_conditional_access_signin_frequency_intune_every_timeazuread_device_join_restrictedazuread_dynamic_group_for_guest_userazuread_ga_not_local_admin_on_joinazuread_global_admin_range_restrictedazuread_group_not_publicazuread_guest_user_access_reviews_configuredazuread_guest_user_infoazuread_laps_enabledazuread_legacy_authentication_disabledazuread_local_admin_assignment_limitedazuread_max_devices_per_user_limitedazuread_microsoft_azure_management_limited_to_administrative_rolesazuread_password_protection_enabledazuread_privileged_roles_access_reviews_configuredazuread_risky_sign_ins_reportazuread_security_default_disabledazuread_signin_frequency_policyazuread_signin_risk_policyazuread_third_party_application_not_allowedazuread_user_bitlocker_recovery_restrictedazuread_user_cannot_create_security_groupsazuread_user_password_not_set_to_expireazuread_user_risk_policyazuread_user_sspr_enabledmicrosoft365_calendar_sharing_disabledmicrosoft365_sharepoint_external_content_sharing_restrictedmicrosoft365_sharepoint_external_sharing_managed_by_domain_whitelist_or_blacklistmicrosoft365_sharepoint_resharing_by_external_users_disabledmicrosoft_user_mfa_capable
Query: azuread_local_admin_assignment_limited
Usage
powerpipe query microsoft365_compliance.query.azuread_local_admin_assignment_limitedSteampipe Tables
SQL
select tenant_id || '/' || id as resource, case when azure_ad_join -> 'localAdmins' is null then 'ok' when azure_ad_join -> 'localAdmins' -> 'registeringUsers' is null then 'ok' when azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.enumeratedDeviceRegistrationMembership' or azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.noDeviceRegistrationMembership' then 'ok' else 'alarm' end as status, case when azure_ad_join -> 'localAdmins' is null then tenant_id || ' has local administrator assignment limited during Entra join (setting not configured, default behavior).' when azure_ad_join -> 'localAdmins' -> 'registeringUsers' is null then tenant_id || ' has local administrator assignment limited during Entra join (registeringUsers not set).' when azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.enumeratedDeviceRegistrationMembership' then tenant_id || ' has local administrator assignment limited to selected users or groups during Entra join.' when azure_ad_join -> 'localAdmins' -> 'registeringUsers' ->> '@odata.type' = '#microsoft.graph.noDeviceRegistrationMembership' then tenant_id || ' has local administrator assignment disabled (none) during Entra join.' else tenant_id || ' has local administrator assignment allowed for all users during Entra join.' end as reason , tenant_id as tenant_idfrom azuread_device_registration_policy;
Controls
The query is being used by the following controls: