Elevating to the Azure AD Joined Device Local Administrator Role with Privileged Identity Management (PIM)

After troubleshooting a number of cases on issues elevating to the Azure AD Joined Device Local Administrator Role with Privileged Identity Management (PIM), I want to explain how to immediately utilize this role on a AAD Joined Device so you can utilize the Local Administrator role on that device.

The number one reason you may not have Local Administrator privileges after elevating to this role using PIM is that you are still using a cached Primary Refresh Token (PRT) on the local device. If you have an active PRT (check with command prompt -> dsregcmd /status ) that was issued prior to your PIM elevation (check the AzureAdPrtUpdateTime attribute) , then you won’t see the benefits of your newly elevated role until that PRT cache expires. Which as per How is a PRT renewed? is only every 4 hours

The requirement to utilize your newly elevated role is to obtain a new Primary Refresh Token (PRT). So if you don’t want to wait for 4 hours to have your PRT refreshed, here are the steps to ensure you obtain a new PRT and immediately receive Local Administrator privileges on your AAD Joined Device.

Elevation Steps

  1. Using Privlieged Identity Management, activate your eligible Azure AD Joined Device Local Administrator Role.
  2. Browse to PIM blade -> My roles and verify this role shows up under the Active assignments tab:
PIM -> My Roles -> Active Assignments
  1. Additionally, browse to PIM -> My audit history -> And note the exact timestamp of the time your “Add member to role completed (PIM activation)” activity occured.
PIM -> My Audit History -> Add member to role completed (PIM activation) timestamp
  1. Now you can login to your Windows client machine and check to see if you have Local Administrator permissions or not. To do this, open a Windows Command Prompt (start -> run -> cmd) and run the cmd whoami /all check if you show as a member of the BUILTIN\Administrators group or not under Group Information. In this example, as I am using a cached PRT obtained prior to PIM elevation, I am NOT showing as a Local Administrator
Command Prompt -> whoami /all -> no listing for BUILTIN\Administrators
  1. Since I need a fresh PRT to see my new role, I will run the command dsregcmd /refreshprt , this command will schedule a refresh of my PRT.
Command Prompt -> dsregcmd /refreshprt
  1. After running this command, I suggest waiting for ~ 1-2 minutes to allow the refresh to occur.
  2. After waiting 1-2 minutes, Logout of your Windows session.
  3. Now, Log back in to your Windows session to utilize your new PRT
  4. Check again if you now have Local Administrator permissions by running whoami /all and locating the new entry for the BUILTIN\Administrators group.
Command Prompt -> whoami /all -> BUILTIN\Administrators now listed

Hope this helps someone!

Leave a Reply