There is a issue on Azure AD Domain joined machines if you want to add AzureAD users to a local group. Lets say you want to enable a user to log on remote to a AzureAD joined machine or you want to add users to the local administrators group. The GUI doesn’t support this at all because you are not able to check for users in the cloud.
The first thing we need to do is to make the user in question to actually first log on to a machine locally to get the SID onto the machine it self.This is required to make this work.
If you go into the UI you will see this:
There is no active local users on the machine as this machine was AAD Joined during OOBE
If you go to Groups and open the local administrators group you will see that the user that joined the machine to AAD is added as a local administrator.
If you try to add users from AAD to the local group you will quickly find that it is not possible at all. There is no way to browse AAD for users or to add users and as we dont have any local users at all you cannot add users to the Administrators group. But luckily there is a very easy way to fix this manually.
Open CMD as administrator and run the command:
net localgroup administrators <DomainName>\<UserName> /add
If you don’t have AAD Connect synchronization and are running cloud only your domain is AzureAd\ and user string AzureAd\Username
If we now open the GUI again we can see that the users exists in the local Administrators group:
This can also be used to add users to other groups as Remote Desktop Users to enable remote connection to the PC.
I got a tip from @hosebei on twitter that you should be aware of localized group names. If this is not working, you can get the localized Administrators group name by running this powershell command:
get-wmiobject win32_group -Filter “SID=’S-1-5-32-544′ AND LocalAccount=True”