Endpoint Local Administrator is a Power Platform solution that allows you to add and remove users as local administrators on an Intune device from a Power App. No more needing to assign the Azure AD joined device local administrator role.
Note: Currently, this solution utilizes PowerShell to add and remove local administrators. Once Microsoft further develops the Graph API for Account Protection, I will re-work the solution and switch it over to that.
This app utilizes some components from Microsoft's Fluent UI. I'm not a UI person, but I wanted to make this feel somewhat nice.
- Add user permanently as a local administrator
- Add user temporarily as a local administrator
- Remove user from local administrator
When assigning a temporary local administrator, the job goes into a sleeping state once the user has been added. A flow runs every 4 hours in the background to compare the date the granted date vs the ending date you selected. Once it has been reached, the job will move to a removing permissions state and remove the user from local administrator.
If a job is deleted, Azure AD Group(s) and Script(s) associated with the job will be deleted. Job overview of granting a permanent administrator
Job overview of granting a temporary administrator
Receive Teams and/or Outlook adaptivbe card notifications.
Note: Adaptive Card notifications are only viewable in Microsoft Teams and Microsoft Outlook. Adaptive cards will not render on other email clients.
Premium licensing in Power Platform is required for this solution to function since it utilizes Dataverse and other premium connectors. You will need Power Automate per user or Power Automate per flow AND either Power Apps per User, App Passes, or Pay as you go subscription.
You'll need to create an originator ID from the Actionable Email Developer Dashboard. This will allow you to send actionalable messages within your organization. This is needed if you want to receive alerts via Outlook.
- Go to Azure Active Directory Admin Center
- Select App Registrations
- Select New Registration.
- Name the App Registration. Ex: Endpoint Local Administrator
- Leave everything else as the default settings. Select Register
- Grant the App Registration the following Microsoft Graph - Application API Permissions:
- Device.Read.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.Read.All
- Directory.Read.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- Once granted, Grant admin consent.
- Create a client secret and save the secret value.
- Go to Power Platform Admin Center
- Seelct Environments tab
- Select the environment you'll be importing the solution into and select Settings on the toolbar
- Expand Users + Permissions
- Select Application Users and select New App User
- Select Add an app and select the App Registraition you created then select Add
- Select your business unit and select Create
Leave the security role blank. We will come back to this later after importing the solution.
Before we import the solution, we need to create the Dataverse Application User Connection.
- Go to Power Automate
- Select the environment from the top-right that you'll be importing the solution into.
- Select Create on the left-side toolbar and select Instant Cloud Flow
- On the new flow page, select one of the Dataverse triggers or actions.
- Click the elipses on the action (...) and select Add New Connection
- Select Connect with service principal and name the connection. Ex: ELA - Application User
- Enter in the Tenant ID, Client ID, and Client Secret from the app registration you created earlier.
- Select Create.
At this point the service principal connection should be created. You can close out of this flow without saving it.
-
Download the un-managed zip file
-
Import the solution into your environment.
- On the first Import page, expand Advanced Settings and un-check Enable plugin steps and flows included in this solution
- When setting up the connections, use the ELA - Application User connection for the ELA - Service Principal connection reference.
- For Microsoft Teams and Outlook, use an account you want to send the notifications from. This account will need to be licensed for Teams and Outlook.
- Set the following environment variables:
- AppRegistration_ClientID: Use the Application(client) ID from the App Registration you created
- AppRegistration_ClientSecret: Use the client secret you created
- AppRegistration_TenantID: Use your tenant id
- MothershipURI: Leave this blank for now.
- OriginatorID: Originator ID from Actionable Email Developer Dashboard
-
Once the solution has been imported, turn on then edit the flow Flow - Process Request - PowerShell Script Listener and copy the HTTP Post URL from the trigger.
-
Update the environment variable MothershipURI with the URL you just copied.
-
Go back to the application user you created in your environment and give it the ELA - Application User security role.
-
Turn on the rest of the Flows within the solution.
- On the main screen, select Manage Device
- Enter an Intune device name then select Search
- Scroll down to the bottom and adjust the configuration to your desired settings.
- Select submit.
To modify Teams or Outlook users to notify upon various job statuses, click the gear icon on the top-right of the app. From there, you'll be able to add and remove users.
When sharing the Power App, make sure to assign the user or group the ELA - Administrator Dataverse security role.
If any error is encountered in the flows, the status of a job will change to error. The flow id and run id will be stored and sent in a notification via Teams/Email. From there, you'll be able to view the flow to see what went wrong.
Currently, this solution uses PowerShell to add and remove local administrators. Each time the script runs on a device, a log file is created under: C:\Windows\Logs\Endpoint Local Administrator