/
Azure AD User Access for $ADMIN Share

Azure AD User Access for $ADMIN Share

Steps to Enable Azure AD Users to Access the ADMIN$ Share on Azure AD-Joined Devices

1. Confirm the Device Is Azure AD Joined

Run the following command on the target device to verify Azure AD join status:

dsregcmd /status

Check for:

  • AzureAdJoined: YES

  • DomainJoined: NO

2. Grant Local Administrator Rights to the Azure AD User

Access to the ADMIN$ share requires local administrator rights on the target machine.

Option 1: Manually Add Azure AD User

Open PowerShell (Admin) and run one of the following:

net localgroup Administrators "AzureAD\user@domain.com" /add

OR

Add-LocalGroupMember -Group "Administrators" -Member "AzureAD\user@domain.com"

⚠️ Repeat this on each device where access is required.

Option 2: Assign Local Admin via Intune

For managed environments, use Microsoft Intune to deploy local admin rights:

  1. Go to Microsoft Intune Admin Center.

  2. Navigate to:
    Endpoint SecurityAccount Protection

  3. Create a policy:

    • Platform: Windows 10/11

    • Profile: Local user group membership

  4. Configure the Local Administrators group:

    • Add Azure AD users or security groups.

  5. Assign the policy to the appropriate devices or users.

3. Enable SMB Sharing and Firewall Rules

Check and Enable SMB

Run the following to check SMB status:

Get-SmbServerConfiguration | Select EnableSMB2Protocol

If disabled, enable with:

Set-SmbServerConfiguration -EnableSMB2Protocol $true -Force

Allow SMB in Windows Firewall

Enable SMB-related firewall rules:

Set-NetFirewallRule -Name "FPS-SMB-In-TCP" -Enabled True

Or do it manually:

  • Open Windows Defender Firewall

  • Enable the File and Printer Sharing (SMB-In) rule

Test SMB Connectivity

Run:

Test-NetConnection -ComputerName TARGET-PC -Port 445

If this fails, verify network-level firewall settings are not blocking port 445.

4. Access the ADMIN$ Share

Once the user is a local administrator, access can be done via:

File Explorer

  1. Press Win + R

  2. Enter:

\\TARGET-PC\ADMIN$

  1. If prompted, enter:

Username: AzureAD\user@domain.com Password: [Azure AD password]

PowerShell

New-PSDrive -Name Z -PSProvider FileSystem -Root "\\TARGET-PC\ADMIN$" -Credential (Get-Credential)

Command Prompt

net use \\TARGET-PC\ADMIN$ /user:AzureAD\user@domain.com

Troubleshooting Access Failures

1. Confirm Local Administrator Rights

net localgroup Administrators

Ensure the Azure AD user is listed.

2. Check Authentication Policy

If login fails, verify NTLM authentication settings.

Run:

gpedit.msc

Navigate to:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Set Network security: LAN Manager authentication level to:

  • “Send LM & NTLM – use NTLMv2 session security if negotiated”
    OR

  • “Send NTLMv2 response only”

3. Review SMB Server Event Logs

  1. Open Event Viewer (eventvwr.msc)

  2. Navigate to:

Applications and Services Logs > Microsoft > Windows > SMBServer

Look for entries related to:

  • Authentication failures

  • Permission denials

  • SMB connection issues