Use this operation to add or remove accounts from sanctioned administrator groups with device administrator privileges.
Role Requirements
Procedure Scope: Administrators
Required Group Membership: Admin.Security
Handbook Reference
Package: Device Security
Domain: TBD
Modifies: TBD
When to Perform this Operation
As Needed: Proactive or in Response to User/Security
Technical Description and Importance
Managing sanctioned device administrator accounts is crucial for maintaining control over administrative privileges on devices. Proper management ensures that only authorized users have elevated permissions, reducing the risk of unauthorized changes or misuse of administrative rights. By regularly updating these memberships, organizations can align with potential compliance requirements and safeguard their environment from privilege escalation attacks. This proactive management supports operational efficiency while minimizing administrative risk, ensuring that access is granted only to accounts necessary for business operations.
Management Options
- Add an Account as a Device Administrator
- Remove an Account as a Device Administrator
Add an Account as a Device Administrator:
Purpose
Add a user account to the sanctioned administrator group, granting device administrator privileges.
Use Case
A new IT staff member requires device administrator permissions to support endpoint management tasks.
Remove an Account as a Device Administrator:
Purpose
Remove a user account from the sanctioned administrator group, revoking device administrator privileges.
Use Case
A former IT staff member no longer requires elevated privileges due to a role change or offboarding.
| Operation | Action | Target |
| Add an Account as a Device Administrator | Addition | Sanctioned Device Admins |
| Remove an Account as a Device Administrator | Removal | Sanctioned Device Admins |
Add an Account as a Device Administrator
This operation adds a user account to the sanctioned administrator group to enable device administrator privileges.
1. Entra ID Admin Group Addition
Remove an Account as a Device Administrator
This operation removes a user account from the sanctioned administrator group to revoke device administrator privileges.
1. Entra ID Admin Group Removal
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.