As almost every company adopts modern device management solutions like Microsoft Intune, Service Desks and Support personnel often face challenges when trying to perform administrative tasks on these devices remotely. If you use Local Administrator Password Solution (short LAPS) that stores passwords in Entra ID, you can authenticate on those managed devices like in the “good old days” with .\admin . If you haven’t configured LAPS, check out our friend Oliver Müller‘s blog post about Windows LAPS in Microsoft Intune.
However, there are scenarios where LAPS is not configured, or you prefer to use a dedicated administrator account. Specifically, the Entra ID role Microsoft Entra Joined Device Local Administrator is useful in such situations. A common question I get asked a lot among support personnel: is it possible to authenticate as a Microsoft Entra Joined Device Local Administrator on a remote Entra ID-joined device using Entra ID credentials, especially when using tools like TeamViewer?
In this blog post, you will learn how to sign in with Entra ID credentials using dedicated administrator accounts.
The Solution
Here’s how you can authenticate as an administrator on a remote Autopilot device using Entra ID credentials through TeamViewer:
- Dedicated administrator account: Make sure you have a dedicated administrator account solely used for local device administrative tasks. This personalized administrator account should be configured with the Entra ID Role: Microsoft Entra Joined Device Local Administrator and be eligible via Privileged Identity Management (short PIM).
- Installation and configuration: Ensure TeamViewer is installed and running on the device in question. Obtain the TeamViewer ID from the remote device to initiate the connection process.
- Authentication process: Before entering the password on TeamViewer, select the Advanced features. Opt for Windows authentication.
- Instead of using the traditional domain\username format, use the format AzureAD\[email protected]. This allows Entra ID credentials to be recognized.
- If your Entra ID account has administrative privileges, this will elevate the remote machine’s TeamViewer session, enabling visibility and interaction with User Account Control (short UAC) prompts. TeamViewer will reboot and, the user has to accept the End User License Agreement’s again before reconnecting automatically after this authentication.
- Instead of using the traditional domain\username format, use the format AzureAD\[email protected]. This allows Entra ID credentials to be recognized.
- Operational execution: Once authenticated, you can perform the necessary administrative tasks on the Entra ID joined device securely and efficiently.
Best Practices for Remote Administration
To maximize the efficiency and security of remote administrative tasks, consider applying these best practices:
- Utilize least privilege principles and PIM to ensure that administrative accounts are only used when necessary, reducing security risks.
- Maintain clear documentation of all administrative credentials and ensure regular updating of access permissions.
- Regularly update TeamViewer and configure settings to ensure optimal performance and security during remote sessions.
Conclusion
Transitioning to modern device management solutions like Microsoft Intune can present challenges. However, with the right approach and tools, these challenges can be effectively managed. By leveraging Entra ID credentials and TeamViewer, support personnel can maintain a secure and efficient workflow. This ensures that administrative tasks are handled seamlessly and with greater ease.