Global administrator role should not be added as local administrator on the device during Microsoft Entra join

Why This Matters

Granting the Global Administrator role local administrator privileges on Microsoft Entra joined devices creates an unnecessary security risk. If a device is compromised, an attacker could leverage these elevated privileges to move laterally across the tenant. Administrators should restrict local admin assignments to only users who explicitly require them for device management tasks.

What Aether365 Checks

Aether365 verifies that no Global Administrator role is assigned as a local administrator on any device during Microsoft Entra join. This check appears in the Aether365 dashboard under the Entra ID service checks.

How to Fix

To remediate this issue, follow these steps: