How do I add Azure Active Directory User to Local Administrators Group

You can do this via command line! I just had this same issue and after searching and getting nothing but "you can't" from everywhere, I (for giggles and grins) tried this through the command line and IT WORKED!!

1. Login to the PC as the Azure AD user you want to be a local admin. This gets the GUID onto the PC.

2. Log out as that user and login as a local admin user.

3. Open a command prompt as Administrator and using the command line, add the user to the administrators group. As an example, if I had a user called John Doe, the command would be net localgroup administrators AzureAD\JohnDoe /add.

Log back in as the user and they will be a local admin now.

I found this Microsoft document related to this question:
"Connect to remote Azure Active Directory-joined PC".

You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:

net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"

where FirstnameLastname is the name of the user profile in C:\Users, which is created based on DisplayName attribute in Azure AD.

This command only works for AADJ device users already added to any of the local groups (administrators). Otherwise this command throws the below error. For example:

• For cloud only user: "There is no such global user or group : name"
• For synced user: "There is no such global user or group : name"

In Windows 10, version 1709, the user does not have to sign in to the remote device first.

In Windows 10, version 1709, you can add other Azure AD users to the Administrators group on a device in Settings and restrict remote credentials to Administrators. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.

Please keep this sentance in mind:

In Windows 10, version 1709, the user does not have to sign in to the remote device first.

I just landed here with a similar problem - how do I add my Azure user to the local "Hyper-V Administrators" group.

Apart from the best-rated answer (thanks!), turns out you can with the following PS command as well:

PS> ([adsi]"WinNT://./Hyper-V Administrators,group").Add("WinNT://$env:UserDomain/$env:Username,user")

which I found on https://docs.okd.io/latest/minishift/troubleshooting/troubleshooting-driver-plugins.html#troubleshooting-driver-hyperv

Try this PowerShell command with a local admin account you already have.

Add-LocalGroupMember -Group administrators -Member AzureAD\*UPN*

My experience is also there is no option available to add a single AAD account to the local adminstrator group. What you can do is add additional administrators for ALL devices that have joined the Azure AD. You can do his through the azure console on https://manage.windowsazure.com for which you need an AAD license). You can find this option by clicking on your tenant name and click on the 'configure' tab. Look for the 'devices' section.

This means that two AAD users can not be local admin on the same device at the same time, unless one of the users is a global admin for all devices... In the case the windows machine has to change owner, that needs also local admin rights on the specific machine, you need to de-join from AAD and re-join using the new owner user account.

I tried this and to my surprise the built-in local administrator did not have permissions to join Azure AD. Clicking the button didn't give any reply. Only after adding another local administrator account and log in locally with that user I could start the join process. In the login screen I specified the Azure AD/0365 user. That one became local admin correctly.

See also the blog below:

Azure ad join windows 10