memdocs
memdocs copied to clipboard
MicrosoftDocs
principal of least privilege
There's no way that Full Control is required for autopilot to hybrid join a computer to AD. I'm still surprised that we see principal of least privilege being violated in today's world. And yet there's no "doc" from Microsoft on how to delegate the domain join privilege using the principal of least privilege.
https://docs.microsoft.com/en-us/answers/questions/764328/delegate-34domain-join-only34-permission-to-a-stan.html Take a look at answer proposed by "GaryReynolds". This answer uses the principal of least privilege for domain-joining a computer.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 3f93dd93-e003-36fc-02d6-07166537d914
- Version Independent ID: 1b860d13-bcf5-50da-89f9-ee12ece6edb2
- Content: Enrollment for hybrid Azure AD-joined devices - Windows Autopilot
- Content Source: memdocs/autopilot/windows-autopilot-hybrid.md
- Service: microsoft-intune
- Sub-service: enrollment
- Technology: ****
- GitHub Login: @ErikjeMS
- Microsoft Alias: erikje
the list of properties that you need to write to are:
- displayName
- samAccountName
- userAccountControl
- distinguishedName (to support renames and moves, but not needed for Autopilot)
- cn (to support renames and moves, but not needed for Autopilot)
The list of extended rights that you need are:
- Reset password (for joining to an existing object, but not needed for Autopilot)
- Validated write to dns host name
- Validated write to service principal name
And you still need to delegate the right to create computer objects (I doubt that Autopilot needs the right to delete computer objects).
Anything beyond this list is not related to domain joining computers, like updating the description or any other attributes is associated to managing computer objects, which is a separate task from domain joining. So I'd leave any other attributes out of the delegation for a service account which only has a job of domain-joining computers.
