< All Topics
Print

How to manage local administrators – ENTRA

PostedNovember 20, 2025
UpdatedNovember 20, 2025
Byadmin

To manage the local administrator role for Microsoft Entra joined devices, use the Microsoft Entra admin center under Device settings to add or remove users and groups. You must have a Privileged Role Administrator role to access these settings. Administrators can define who becomes a local administrator on new devices by assigning them to the “Additional local administrators” list in device settings. 

How to manage local administrators

  1. Sign in to the Microsoft Entra admin center as a Privileged Role Administrator.
  2. Navigate to Microsoft Entra ID > Devices > All devices > Device settings.
  3. Select Manage Additional local administrators on all Microsoft Entra joined devices.
  4. Select Add assignments to choose other users or groups to add.
  5. Add your selections to grant them local administrator privileges on all Entra joined devices. 

Important considerations

  • Permissions are applied to all devices: The local administrator permissions are assigned to all Microsoft Entra joined devices in your tenant and cannot be scoped to a specific set of devices.
  • New devices only: Changes made to local administrator settings in the admin center will apply to new devices. Existing local administrators on already joined devices will not be automatically removed.
  • User and group assignments: You can add individual users or, for better management, create a Microsoft Entra group and add the group to the local administrators list.
  • Default behavior: By default, a user’s Microsoft Entra ID is not automatically added to the local administrators group. However, the “Registering User” role can be configured to grant local admin rights during enrollment, either to all users, a selected user, or none.
  • Time delay: For users who already signed in to a device, it can take up to four hours for their new local administrator privileges to be applied, as a new Primary Refresh Token (PRT) needs to be issued. After the delay, the user must sign out and back in to refresh their profile and gain the new permissions.