Entra joined devices automatically grant local administrator privileges to the joining user and a specific Entra ID role. This elevated privilege is not visible through typical administrative interfaces or audit logs as it's a direct addition to the local group. Users don't appear explicitly in the administrators list; their access is granted via the Primary Refresh Token upon sign-in. To confirm this on a device, sign in as the user and check group memberships for the device-local Administrators SID. Refreshing this privilege requires signing out and back in after running dsregcmd /refreshprt, as locking the screen is insufficient. This feature is exclusive to Entra joined devices, not workplace-joined ones. The "Manage Additional local administrators" setting is a tenant-wide option for the same Device Administrator role and cannot be applied individually. To prevent automatic local administrator assignment for new joins, set "Registering user is added as local administrator" to None. Future local administrator management can be handled through Windows Autopilot or Intune policies, but existing devices will retain their current settings.