Configure non-global admin accounts, Configure non-global admin accounts on surface hub, Summary create azure ad security groups – Microsoft Surface Hub 2 SmCamera User Manual

Configure non-Global Admin accounts

on Surface Hub

Article • 04/19/2023 • Applies to: Surface Hub, Surface Hub 2S

The Windows 10 Team 2020 Update adds support for configuring non-Global Admin
accounts that limit permissions to management of the Settings app on Surface Hub
devices joined to an Azure AD domain. This enables you to scope admin permissions for
Surface Hub only and prevent potentially unwanted admin access across an entire Azure
AD domain.

Windows 10 Team 2020 Update 2 adds support for

LocalUsersAndGroups CSP

. That is

now the recommended CSP to use;

RestrictedGroups CSP

is still supported, but has

been deprecated.

The process of creating non-Global Admin accounts involves the following steps:

1. In Microsoft Intune, create a Security group containing the admins designated to

manage Surface Hub.

2. Obtain Azure AD Group SID using PowerShell.
3. Create an XML file containing Azure AD Group SID.
4. Create a Security Group containing the Surface Hub devices that the non-Global

admins Security group will manage.

5. Create a custom Configuration profile targeting the security group that contains

your Surface Hub devices.

７

Note

Before you begin, make sure your Surface Hub is Azure AD-joined and Intune auto-
enrolled. If not, you will need to

reset the Surface Hub

and complete the

first-time,

out-of-the-box (OOBE) setup

again, choosing the option to join Azure AD. Only

accounts that

authenticate via Azure AD

are supported with the non-Global Admin

policy configuration.

Summary

Create Azure AD security groups