The problem? Those leftover admin rights don’t go away on their own. Over time, they quietly pile up and turn into a serious security risk, which most monitoring tools never bother to check. If you don’t know who’s in the local Administrators group, you’re basically trusting luck.

In this guide, I’ll walk you trough how to use Intune and Log Analytics to get a clear, reliable report of who actually has local admin access on every device in your environment.

Solution Overview

We use a proactive approach to ensure no local admins stay hidden:

1. Detection: A PowerShell script runs daily on every machine to query the administrators group.
2. Ingestion: Data is sent to a custom table in our Log Analytics Workspace.
3. Analysis: KQL queries filter out authorized local administrator accounts to highlight outliers.

1. The PowerShell Collection Script

This script gathers members of the local admin group and sends the data to Azure. By running this via Intune, we get a fresh snapshot of the local admins on each PC every 24 hours.

Prerequisite 1: Get the $CustomerID from the log analytics workspace Overview tab.

Prerequisite 2: To get the $SharedKey, use this AZ CLI query.

az monitor log-analytics workspace get-shared-keys \
   --resource-group xxxxx \
   --workspace-name xxxxxx \
   --query "primarySharedKey"

# --------------------------------------------------------------------------
# PowerShell Script: Send Local Administrator Group Members to Log Analytics
# --------------------------------------------------------------------------

# ======================
# 1. Configuration
# ======================
$CustomerID = "<your-customer-id>"
$SharedKey  = "<your-shared-key>"
$LogType    = "LocalAdminReport"

# ======================
# 2. Data Collection
# ======================
$DeviceName = $env:COMPUTERNAME

try {
    $AdminMembers = Get-LocalGroupMember -Group "Administrators"
} catch {
    Write-Error "Error retrieving local group members: $($_.Exception.Message)"
    exit 1
}

$DataToSend = @()
foreach ($Member in $AdminMembers) {
    $MemberName = $Member.Name
    $MemberSource = $Member.PrincipalSource
    if (-not [string]::IsNullOrEmpty($MemberName)) {
        $DataToSend += [PSCustomObject]@{
            DeviceName = $DeviceName
            AdminName  = $MemberName
            PrincipalSource = $MemberSource
            TimeGenerated = (Get-Date -Format s)
        }
    }
}

if ($DataToSend.Count -eq 0) {
    Write-Host "No members found in the Administrators group. Skipping log submission."
    exit 0
}

$JsonPayload = $DataToSend | ConvertTo-Json -Depth 5

# ======================
# 3. Build Request and Signature
# ======================
$Bytes         = [System.Text.Encoding]::UTF8.GetBytes($JsonPayload)
$ContentLength = $Bytes.Length
$APIVersion    = "2016-04-01"
$Date          = (Get-Date).ToUniversalTime().ToString("r")
$ResourcePath  = "/api/logs"

# Build the string for signature (see MS Docs)
$SignatureString = "POST`n$ContentLength`napplication/json`nx-ms-date:$Date`n$ResourcePath"

# Decode Shared Key and calculate signature
try {
    $KeyBytes   = [Convert]::FromBase64String($SharedKey)
    $HMACSHA256 = New-Object System.Security.Cryptography.HMACSHA256
    $HMACSHA256.Key = $KeyBytes
    $Hash = $HMACSHA256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($SignatureString))
    $Signature = [Convert]::ToBase64String($Hash)
} catch {
    Write-Error "Failed to create signature: $($_.Exception.Message)"
    exit 1
}

$Authorization = "SharedKey ${CustomerId}:$Signature"
$URI = "https://$CustomerID.ods.opinsights.azure.com/api/logs?api-version=$APIVersion"

# ======================
# 4. Send Data
# ======================
$Headers = @{
    "Authorization"        = $Authorization
    "x-ms-date"            = $Date
    "Content-Type"         = "application/json"
    "Log-Type"             = $LogType
    "x-ms-log-type"        = $LogType
    "time-generated-field" = "TimeGenerated"
}

try {
    Write-Host "Sending data to Log Analytics ($LogType)..."
    Write-Host "Target URI: $URI"
    $Response = Invoke-RestMethod -Uri $URI -Method Post -Headers $Headers -Body $JsonPayload
    Write-Host "Successfully sent log data."
} catch {
    Write-Error "Failed to send log data. Error: $($_.Exception.Message)"
    if ($_.Exception.Response) {
        try {
            $Reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())
            $Details = $Reader.ReadToEnd()
            Write-Error "Azure Response: $Details"
        } catch { }
    }
    exit 1
}

exit 0

2. Running the Script Daily via Intune

To force the check daily, we deploy an Intune remediation script.

1. Go to https://intune.microsoft.com.
2. Navigate to Devices > Scripts and remediations > Create.
3. Enter the above script as the Detection Script and leave the Remediation Script empty.

3. Analyzing the Local Administrator Report

Once the data is in our log analytics workspace, we use Kusto (KQL) to audit the results. The goal is to separate legitimate domain accounts from unauthorized user accounts that still have the local admin right.

Compliance Summary

This query counts the number of devices where a user is in the administrators group but does not have “admin” in their name (filtering out the built-in administrator and domain admins).

let allDevices = LocalAdminReport_CL | summarize by DeviceName_s;
let offenderDevices = LocalAdminReport_CL
    | where isnotempty(AdminName_s)
    | where AdminName_s !contains "Admin"
    | summarize by DeviceName_s;
let totalOffenders = offenderDevices 
    | summarize Count = count() 
    | extend Category = "Devices with Local Admin Access";
let compliantDevices = (allDevices
    | join kind=leftanti offenderDevices on DeviceName_s
    | summarize Count = count()
    | extend Category = "Compliant Devices"
);
totalOffenders
| union compliantDevices
| project Category, Count
| order by Category asc

Detailed Account Audit

Use this query to select and list every specific account that has been granted local admin permissions in the last 90 days across your computer fleet.

LocalAdminReport_CL
| where TimeGenerated > ago(90d)
| where isnotempty(AdminName_s)
| where AdminName_s !contains "Admin"
| summarize LatestSeen = max(TimeGenerated) by DeviceName_s, AdminName_s
| order by DeviceName_s asc

Implementation Tips

• Intune Deployment: Set the script to run daily using Devices > Remediations. This ensures that if a user is added and then removed, your logs stay accurate.
• Filtering: Adjust the !contains "Admin" logic if your organization uses a different naming standard for authorized admin accounts.
• Workbook Visuals: In Azure Workbooks, use the “Pie Chart” renderer for the first query to get an immediate view of your environment’s health.

Summary

Good security isn’t about saying “no” to everything. It’s about knowing what’s actually happening in your environment. With this script and report in place, you get a clear audit trail that shows exactly when someone is added as a local administrator. That way, “temporary” access doesn’t quietly turn into a permanent problem, and you stay in control instead of playing cleanup later.

The post Local Admin Report with Intune and Log Analytics appeared first on Cyberillo.

Complete Script

## How to Bulk Add Devices to Azure AD Group Using PowerShell ##
#░█████╗░██╗░░░██╗██████╗░███████╗██████╗░██╗██╗░░░░░██╗░░░░░░█████╗░
#██╔══██╗╚██╗░██╔╝██╔══██╗██╔════╝██╔══██╗██║██║░░░░░██║░░░░░██╔══██╗
#██║░░╚═╝░╚████╔╝░██████╦╝█████╗░░██████╔╝██║██║░░░░░██║░░░░░██║░░██║
#██║░░██╗░░╚██╔╝░░██╔══██╗██╔══╝░░██╔══██╗██║██║░░░░░██║░░░░░██║░░██║
#╚█████╔╝░░░██║░░░██████╦╝███████╗██║░░██║██║███████╗███████╗╚█████╔╝
#░╚════╝░░░░╚═╝░░░╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝╚══════╝╚══════╝░╚════╝░

# Import the AzureAD module
Import-Module AzureAD

# Login to Azure AD
Connect-AzureAD

# Path to your CSV file
$csvFilePath = "C:\path\to\your\devices.csv"

# Security Group Name
$securityGroupName = "Your-Security-Group-Name"

# Get the Security Group Object ID from the group name
$securityGroup = Get-AzureADGroup -SearchString $securityGroupName
if ($securityGroup -eq $null) {
    Write-Host "Security group not found: $securityGroupName"
    exit
}

$securityGroupId = $securityGroup.ObjectId

# Import the CSV file
$devices = Import-Csv -Path $csvFilePath

# Loop through each device in the CSV
foreach ($device in $devices) {
    $deviceName = $device.DeviceName

    # Get the Device Object ID from the device name
    $deviceObject = Get-AzureADDevice -SearchString $deviceName
    if ($deviceObject -eq $null) {
        Write-Host "Device not found: $deviceName"
        continue
    }

    $deviceId = $deviceObject.ObjectId

    try {
        # Add the device to the security group
        Add-AzureADGroupMember -ObjectId $securityGroupId -RefObjectId $deviceId
        Write-Host "Successfully added Device: $deviceName to the group."
    } catch {
        Write-Host "Failed to add Device: $deviceName. Error: $_"
    }
}

# Disconnect from Azure AD
Disconnect-AzureAD

Overview of the Script

So, what does the script do?

1. Import devices from a CSV file.
2. Search for these devices in Azure AD.
3. Add the devices to a specified security group.
4. Report success or errors for each device.

Prerequisites

Before running the script, ensure the following:

• You have the AzureAD PowerShell module installed.
• The script is executed by a user with permissions to manage devices and groups in Azure AD.
• A CSV file containing device names is available.
• The correct security group already exists in Azure AD.

Step-by-Step Breakdown

1. Import the Azure AD Module

The script starts by loading the AzureAD module, which contains cmdlets to manage Azure AD resources from PowerShell.

Import-Module AzureAD

This step is necessary for interacting with Azure AD using PowerShell. If you don’t have the module installed, run:

Install-Module AzureAD

2. Authenticate with Azure AD

Before performing any Azure AD operations, the script requires the user to authenticate:

Connect-AzureAD

This prompts the user to enter credentials or use existing session credentials to connect to Azure AD.

3. Specify the CSV File Path and Security Group

You’ll need a CSV file that lists the devices to be added. The CSV should contain a column titled DeviceName, which holds the names of the devices you want to add.

$csvFilePath = "C:\path\to\your\devices.csv"
$securityGroupName = "Your-Security-Group-Name"

Here, $csvFilePath points to the CSV file and $securityGroupName is the name of the Azure AD security group you want to add the devices to.

4. Retrieve the Security Group Object ID

Azure AD uses unique object IDs for each resource, including security groups. To add devices to a group, the script must first retrieve the Object ID of the target security group:

$securityGroup = Get-AzureADGroup -SearchString $securityGroupName
if ($securityGroup -eq $null) {
    Write-Host "Security group not found: $securityGroupName"
    exit
}

If the group isn’t found, the script exits with an appropriate message. Otherwise, the script proceeds to store the Object ID of the group in $securityGroupId:

$securityGroupId = $securityGroup.ObjectId

5. Import the CSV File

The devices from the CSV file are imported into a variable $devices:

$devices = Import-Csv -Path $csvFilePath

Each device is stored as a record, and the script processes each device by looping through the records.

6. Loop through Devices and Add to Group

For each device, the script:

• Retrieves the device’s Object ID from Azure AD using the DeviceName from the CSV.
• Adds the device to the specified security group.
• Logs the outcome for each device.

foreach ($device in $devices) {
    $deviceName = $device.DeviceName
    $deviceObject = Get-AzureADDevice -SearchString $deviceName
    if ($deviceObject -eq $null) {
        Write-Host "Device not found: $deviceName"
        continue
    }

    $deviceId = $deviceObject.ObjectId

    try {
        Add-AzureADGroupMember -ObjectId $securityGroupId -RefObjectId $deviceId
        Write-Host "Successfully added Device: $deviceName to the group."
    } catch {
        Write-Host "Failed to add Device: $deviceName. Error: $_"
    }
}

If the device isn’t found in Azure AD, a message is displayed, and the script moves on to the next device. If an error occurs during the addition process, it’s caught and logged.

7. Disconnect from Azure AD

After processing all the devices, the script disconnects from Azure AD:

Disconnect-AzureAD

This closes the session and ensures no lingering connections remain.

The post How to Bulk Add Devices to Azure AD Group Using PowerShell appeared first on Cyberillo.

How to expand or collapse all headers directly from the Azure portal service menu

To expand all headers in the Azure Portal service menu, click on the up/down double arrow symbol at the top of the menu on the left-hand side of the screen. This icon allows you to toggle between having the headers expanded or collapsed.

How to change the default expand/collapse behaviour of the Azure portal service menu

To change the default expand/collapse behaviour of the Azure portal service menu:

1. Navigate to the gear wheel icon at the top of the screen in the Azure portal to open up the settings.
2. Go to Appearance + startup views from the menu on the left.
3. Choose between Collapsed or Expanded in the Service menu behavior section.

The post How to Expand All Headers in the Azure Portal Service Menu appeared first on Cyberillo.