An Introduction to Custom CSP Policy Profiles: Adding AzureAD Users as Local Administrators

The main aim (hey, that rhymed!) is to give a quick introduction to custom profiles via OMA-URIs rather than going all theory heavy. If you’re interested in that, check out some of the other posts on this blog!

First of all, by default, all AzureAD devices will have two roles automatically assigned as Device Administrators.

  • Global Administrators
  • Local Administrators

Now if the device wasn’t enrolled via an Autopilot profile where you defined that the user account type is standard, then the first user to login/register the device will also be made a local administrator. Which isn’t so great for the security-minded administrator. So make sure to click the link above and learn how to avoid this 😉.

 But again, that’s not the main aim (there’s that rhyme again!) of this post. So onwards and upwards to your OMA-URI introduction!


Custom Policy Profile Configurations

This method is going to be split into two as the first part will add a generic local user to the device. This is not recommended in a production environment as having a standard "universal" account is no bueno in terms of zero-trust and the password requires a reset the first time you login with this account (you can get around this requirement by pushing out a PowerShell script but, for now, that's outside the scope of this post). 

Head over to Intune > Devices > Configuration profiles > + Create profile > Select Windows 10 and later > Profile type Templates > Custom.

Type in a name for your profile:

And select add a role. The values you want to add are as followed:

Name: Add Local Administrator [It doesn’t actually matter what you name it.]

Description: Optional but useful especially if you’re a dope and gave it a stupid name that you won’t be able to remember the meaning of months down the line.

OMA-URI: ./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure [See this post if you want to see how OMA-URIs are constructed]

Data type: String [as I’m keeping the theory light, all you need to know is that string essentially means you’re entering in text]

Value: [The following is the XML definition you’ll be using to tell your Intune enrolled device what to do]


    <accessgroup desc = "Administrators">

        <group action = "U"/>

            <add member = "AzureAD\"/>



OK I know I said I was keeping this theory-lite but this last part (the value) is important to understand. Breaking down

  • <accessgroup desc> – This element specifies the name (or SID) of the local group that should be configured-
  • <group action> – This element specifies the action that should be taken on the on the local group that should be configured.
  • U – This action can be used to add or remove members of the local group that should be configured
  • <add member> – This element specifies the name or SID of the member that should be added to the local group

Hit save. Go ahead and assign the profile to the device groups you want your policy to target.

Review your settings and, if you’re happy, create it.

Congratulations! Your Local Admin policy has been created! Hit up the link under “Monitor” to make sure they hit the devices you’ve targeted and also for any eventual troubleshooting.

But remember that I meant for this post to be a super quick introduction and I really encourage you to check out the other posts on this blog.

Edit: No really. This was one of the first blog posts I wrote and I personally feel that I have gotten a lot better at this stuff 😉.