The Issue
While setting up a laptop in a newly created Microsoft 365 tenant, you may run into the following issue.
The device joined Microsoft Entra successfully, the user could sign in, email worked, and everything appeared normal — until administrative actions were attempted.
Anything requiring elevated privileges produced:
“This requested operation requires elevation.”
What Was Actually Happening
The root cause is a setting inside Microsoft Entra, not Windows itself.
When the tenant was created, Local Administrator Settings were set to:
No & None under Device Settings
Because of that, Entra never added users to the local Administrators group on enrolled devices.
So even though:
- The device was Entra-joined
- The user signed in normally
- Licensing was correct
…the user simply was not a local administrator.
The Fix
Inside the Microsoft Entra Admin Center:
- Go to Entra Admin Center
- Navigate to:
Entra ID → Devices → Device Settings - Locate:
Local Administrator Settings - Change the following two settings to:
Global administrator role is added as a local administrator on the device during Microsoft Entra join (Preview) = Yes
Registering user is added as local administrator on the device during Microsoft Entra join (Preview) = All
(or assign specific users/groups if preferred)
After enabling this setting, users who logged into freshly reset laptops were added as local administrators, and the elevation error disappeared.
Why This Can Be Confusing
What makes this issue tricky is that:
- The device appears configured correctly
- Microsoft 365 licensing looks fine
- The user may even be a tenant admin
But Entra device administrator permissions are controlled separately from local administrator permissions.
In newly created tenants or fresh device deployments, this setting can easily be overlooked.
Workaround: Regain Admin Access Without Resetting the Device
If you’re locked out due to missing local administrator rights and don’t want to wipe/reset the laptop, there is a way to recover access using BitLocker and Windows Recovery.
The idea is to:
- Retrieve the BitLocker recovery key from Microsoft Entra
- Boot into Windows Recovery Environment (WinRE)
- Unlock the drive manually
- Use Command Prompt to grant local admin rights
Step 1: Get the BitLocker Recovery Key
From the Microsoft Entra Admin Center:
- Go to: Entra ID → Devices
- Select the affected device
- Locate and copy the BitLocker Recovery Key
Step 2: Boot into Windows Recovery
On the affected laptop:
- Hold Shift + Restart
- Or interrupt boot 3 times to trigger recovery
Then navigate to: Troubleshoot → Advanced Options → Command Prompt
Step 4: Add Azure AD User to Local Administrators
Once the drive is unlocked, you may need to switch to “C:” and then run:
net localgroup administrators “AzureAD\YourUser@yourdomain.com” /add
If You’re Still Stuck
If you landed here because you’re fighting this error and it still isn’t resolved, feel free to reach out.
NEPA Business Technologies helps businesses throughout the Poconos and Stroudsburg area with Microsoft 365, Entra device management, and business laptop deployments.
