Registering user should not be added as local administrator on the device during Microsoft Entra join

Why This Matters

When a user registers a device with Microsoft Entra ID, they are automatically added to the local Administrators group by default. This practice elevates standard users to administrative privileges on their devices, increasing the risk of accidental system changes or malware propagation. Controlling local admin membership helps maintain least privilege principles and reduces the attack surface on managed devices.

What Aether365 Checks

This check verifies that the policy preventing registering users from being added as local administrators during Microsoft Entra join is enforced. In the Aether365 dashboard, this appears under the entra-id service category as check AE.1091.