Endpoint Local Administrator is a Power Platform solution that allows you to add and remove users as local administrators on an Intune device from a Power App.
I originally built a similar solution like this but in ServiceNow. When I built that, users could submit a request for local administrator via a ServiceNow Catalog Request. Once their manager approved it, Power Automate would automatically grant them local administrator on their Intune device either permanent or temporary using the same method this uses.
With this solution, there is no more need to assign the Azure AD joined device local administrator role or manually remoting into a user’s machine and granting them local administrator.
- Add a user as a permanent local administrator
- Add a user as a temporary local administrator
- Remove a user from local administrator
- Supports Hybrid and AzureAD Joined Devices
Search for a Device
To manage a local administrator on a device, select Manage Device on the dashboard, then enter the name of a device.
View Device Information
After searching for a device, you can view information such as specific local administrator jobs that have run on that device, along with the primary user. This is also where you create your assignment.
Create Permanent Assignment
When you search for a device, the default configuration toggles will be set to a permanent assignment as shown below.
The app pulls in the primary user of the device, assuming that is who you’d want to add. If not, you can turn off the toggle and search for another user in Office 365.
Create Temporary Assignment
You can create a temporary assignment by turning off the permanent assignment toggle. This will allow you to select a date on which the local administrator rights should be removed.
View Job Status
Once a job has been submitted, you can view the status and see where it’s at in its life cycle.
You can modify notification settings for Microsoft Teams and Microsoft outlook here. You can enable or disable notifications, and modify the user’s who will receive them.
Whenever a job is completed, admin gets granted, removed, or fails, you can receive adaptive card notifications in Teams and Outlook.
In order for the solution to function, you will need the following licenses:
- For Power Automate:
- Power Automate per User
- The user that imports the solution into an environment would need this license. Or, you can change the ownership of the flows to a user with the license once it’s imported.
- Power Automate per Flow
- This solution contains 8 Cloud Flows
- Power Automate per User
- For Power Apps:
- Power Apps per User
- Power Apps Pay-As-You-Go
- Power App App Passes
The solution can be downloaded from GitHub. Please view the README file for instructions on what needs to be done to successfully import the solution. It should only take you 10-15 minutes.
If you have any issues or suggestions, let me know!