Microsoft Intune: Manage group membership

Published on: September 11, 2024 | Reading Time: 3 min | Last Modified : September 11, 2024

Overview:

This profile controls the local group membership on devices by Policy CSP - LocalUsersAndGroups.

When you configure this profile, you can create multiple rules to manage which built-in local groups you want to change, the group action to take, and the method to select the users. Basically, we use this profile to add, remove, or replace members of the built-in local groups on Windows devices. For example, the Administrators local group has broad rights. You can utilize this policy to modify the Admin group’s membership, restricting it to a defined set of members exclusively.

Pre-requisites

  • Devices must run Windows 10 20H2 or later, or Windows 11.

More details on available options:

The following are the configurations you can make:

Local group: Select one or more groups from the drop-down. These groups all apply the same Group and user action to the users you assign. You can create more than one grouping of local groups in a single profile and assign different actions and groups of users to each grouping of local groups.

Note: The list of local groups is limited to the six built-in local groups which are guaranteed to be evaluated at logon.

Group and user action: Configure the action to apply to the selected groups. This action applies to the users you select for this same action and grouping of local accounts. Actions you can select include:

Add (Update): Adds members to the selected groups. The group membership for users that aren’t specified by the policy aren’t changed.

Remove (Update): Remove members from the selected groups. The group membership for users that aren’t specified by the policy aren’t changed.

Add (Replace): Replace the members of the selected groups with the new members you specify for this action. This option works in the same way as a Restricted Group and any group members that aren’t specified in the policy are removed.

User selection type: Choose how to select users. Options include:

Users: Select the users and user groups from Microsoft Entra ID. (Supported for Microsoft Entra joined devices only).

Manual: Specify Microsoft Entra users and groups manually, by username, domain\username, or the groups security identifier (SID). (Supported for Microsoft Entra joined and Microsoft Entra hybrid joined devices).

Steps:

Step 1: Go to Intune > Endpoint Security > Account Protection.

Step 2: Select Create policy

Step 3: Select Platform as Windows and Profile as Local user group membership

Step 4: I have taken Administrators for local group and below are options you can select as per requirement:

Step 5: Assign users from Entra/Intune.

Choosing the Manual option can be helpful in scenarios where you want to manage your on-premises Active Directory users from Active Directory to a local group for a Microsoft Entra hybrid joined device. The supported formats of identifying the user selection in order of most to least preferred is through the SID, domain\username, or member’s username. Values from Active Directory must be used for hybrid joined devices, while values from Microsoft Entra ID must be used for Microsoft Entra join. Microsoft Entra group SIDs can be obtained using Graph API for Groups.

Note: For hybrid environment, I would recoemmend to use manual as user selection type. Here, you will need to put SID (Security Identifier) that can be pulled from MS-Graph.

Step 6: Assign it to device group.

Result Time:

Here’s is the bonus:

How to get SID from MS-Graph?

Login to MS-Graph with Intune Admin permission.

Run GET on

https://graph.microsoft.com/v1.0/users/userid?$select=displayName.securityIdentifier.onPremisesSecurityIdentifier

Replace userid with user id of the specific user