Hey All
We have chosen to Azure AD join all our laptops rather than going with a hybrid solution.
The process involved disconnecting the laptops from the traditional domain and then joining AAD. During the process the devices was AADJ as the user, and then the user signed in with their Azure account. i noticed this method gave the local admin access on the machine. Unless i AADJ the machine as myself or use Autopilot, only then will the user have standard account when they log on.
i have tested using Account protection which appears to remove the logged on user from the Administrator group but i have to replace it with either another user or group.
is their a simplar way to achieve removing the user from the Administrator group?