Microsoft Defender for Identity Recommended Actions: Remove local admins on identity assets

Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The twenty-first  one in the series is the “Remove local admins on identity assets” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

• Resolve unsecure domain configurations
• Resolve unsecure account attributes
• Remove dormant accounts from sensitive groups
• Protect and manage local admin passwords with Microsoft LAPS
• Configure VPN integration
• Reduce lateral movement path risk to sensitive entities
• Stop clear text credentials exposure
• Disable Print spooler service on domain controllers
• Stop weak cipher usage
• Remove unsecure SID history attributes from entities
• Modify unsecure Kerberos delegations to prevent impersonation
• Install Defender for Identity Sensor on all Domain Controllers
• Set a honeytoken account
• Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers
• Accounts with non-default Primary Group ID
• Change Domain Controller computer account old password
• Reversible passwords found in GPOs
• Unsafe permissions on the DnsAdmins group
• GPO assigns unprivileged identities to local groups with elevated privileges
• Remove access rights on suspicious accounts with the Admin SDHolder permission
• Remove local admins on identity assets
• Remove non-admin accounts with DCSync permissions
• GPO can be modified by unprivileged accounts
• Built-in Active Directory Guest account is enabled
• Change password for krbtgt account
• Change password of built-in domain Administrator account
• Ensure that all privileged accounts have the configuration flag

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Remove local admins on identity assets.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Local Administrator

In highly sensitive environments, especially Tier-0 servers that safeguard core identity infrastructure such as Active Directory, Active Directory Federation Services, AD Connect, and Active Directory Certificate Services, minimizing the attack surface is critical. Allowing local administrator accounts on these systems creates a hidden pathway for attackers: from their perspective, every local admin is effectively a potential Domain Admin.

With elevated local rights, an attacker can manipulate services, extract credentials, or pivot laterally to compromise the broader identity fabric. Once Tier-0 assets are exposed, the entire enterprise identity ecosystem is at risk. For this reason, enforcing the principle of least privilege and removing unnecessary local administrators is a foundational control to prevent privilege escalation and maintain a secure environment.

Recommendation

Use Microsoft Defender for Identity to continuously monitor Tier-0 servers and identify accounts with local administrator privileges. Review the list of detected accounts on a regular basis and assess whether each one is truly required. For accounts that are not operationally necessary, remove their local administrator rights immediately. Where privileged access is required, replace permanent local admin rights with controlled access solutions such as Privileged Access Management (PAM) or Just-In-Time (JIT) access.

By leveraging Defender for Identity’s visibility into local admin memberships and remediating unnecessary privileges, you reduce the likelihood of attackers using these accounts as indirect entry points to escalate toward Domain Admin privileges.

Conclusion

In conclusion, the Remove local admins on identity assets assessment is not actively scanning your environment. Instead, it leverages the Microsoft security sensor installed on Tier-0 servers to identify which accounts hold local administrator rights. The recommendation is simply to review these detected accounts and remove unnecessary privileged access. By doing so, organizations reduce the risk of local admins being leveraged as indirect Domain Admins, strengthening the overall security posture of their Tier-0 assets.