I'm currently cleaning up a Microsoft 365 environment for a company, and I've run into an odd issue. They use EntraID for user accounts and have it set to prompt for admin rights when running tasks as an admin, but one user isn't receiving the expected credential prompt. Instead, they only see a generic yes or no option. This user had Global Admin rights, which I've removed, thinking that might fix the problem, but it's still an issue. They're not part of the Cloud Administrator group; it's just the main admin account I use. I've read that it might be related to a cached token in Windows, and someone suggested signing out of Entra ID and setting it up again. Before going that route, I'm looking for any other suggestions to resolve this. Thanks!
1 Answer
This situation might stem from the "Global administrator role is added as a local administrator on the device during Microsoft Entra join" setting. You can check this in the Entra portal under Device settings. If that option is active, it assigns all global admins as local admins at the time the device is enrolled, and it doesn't automatically update afterward. To resolve this, you'll have to remove the group assignments on the device.
I disabled that option to avoid issues in the future. The only local admin on all Entra-joined devices is myself, and that works smoothly. It’s just this one device where the account was previously a global admin and now isn't, yet Windows still seems to think they have admin rights. I'm considering disconnecting the device from Entra and rejoining it, but I'd like to avoid that if possible. Any other ideas?