Hi,
I'm looking for a way to manage local administrators on the Windows Endpoint devices. These devices are currently in a hybrid joined configuration.
We have a hand full of users that use VPN and a majority the don't, they consume online services.
The original plan was to use AD groups one per machine and then where required assign user the user to the group for the target machine. In reality this only works reliable for users who are on site as the VPN causes issue with the user membership not being updated. The vpn is not running until after login. and obviously users who do not use the vpn will never be able to have the group added.
I have been looking to see if I can use groups in AAD, but I'm not seeing any clear examples except for managing groups of machines.
I have found that it can be done via policy, but I have my doubt about...