Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP).
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device: The content of this article doesn't apply to a hybrid Azure AD joined devices. This article explains how the local administrators membership update works and how you can customize it during an Azure AD Join. A membership update is, for example, helpful if you want to enable your helpdesk staff to do tasks requiring administrator rights on a device. You can customize the membership update to satisfy your business requirements. As part of the Azure Active Directory (Azure AD) join process, Azure AD updates the membership of this group on a device. To manage a Windows device, you need to be a member of the local administrators group.
