Recently, Windows LAPS for Windows Server Active Directory was made available to the public, and I shared my initial test impressions:
Getting to Know Windows LAPS for Active Directory – First Look
As of April 21st, 2023, Windows LAPS for Azure Active Directory is now also accessible in a public preview. This presents an opportunity to test it in a cloud-only environment, and in this blog post, I will be sharing my initial testing impressions of Windows LAPS with Azure Active Directory in this scenario.
- License requirements
- Supported scenarios
- Supported operating systems
- Required roles or permission
- Windows LAPS for Azure Active Directory features in overview
- Windows LAPS for Azure Active Directory – Configuration
Customers with Azure AD Free or higher licenses now have access to Windows LAPS for Azure Active Directory. However, there are specific licensing requirements for related features such as administrative units, custom roles, Conditional Access, and Microsoft Intune.
Only devices that are joined to Azure AD or Hybrid Azure AD are compatible with Windows LAPS for Azure Active Directory. Azure AD registered devices aren’t supported.
Supported operating systems
- Windows 11 Pro, EDU, and Enterprise (April 2023 Cumulative update must be installed)
- Windows 10 Pro, EDU, and Enterprise (April 2023 Cumulative update must be installed)
Required roles or permission
- Cloud Device Administrator
- Intune Administrator
- Global Administrator
In addition to the default Azure AD roles of Cloud Device Administrator, Intune Administrator, and Global Administrator, which are authorized to access device.LocalCredentials.Read.All, you have the option to utilize Azure AD custom roles or administrative units for granting authorization to recover local administrator passwords.
Windows LAPS for Azure Active Directory features in overview
- Store passwords in Microsoft Azure (on Azure device object)
- Settings configuration via Microsoft Intune
- Recover stored passwords via Microsoft Entra/Microsoft Intune portal or Microsoft Graph API/PowerShell
- On-demand password rotation via Microsoft Intune
- Automatic password reset on use (client-driven)
- Create Azure AD role-based access control (RBAC) policies with custom roles and administrative units for authorization of password recovery.
- View audit logs via Microsoft Entra or Microsoft Graph API/PowerShell to monitor password update and retrieval events.
- Configure Conditional Access policies on directory roles that have the authorization of password recovery.
Windows LAPS for Azure Active Directory – Configuration
That concludes the introduction – now it’s time to finally test Windows LAPS for Azure Active Directory! 🙂 For my evaluation, I’ll be using a Windows 11 22H2 client and a Microsoft 365 tenant with pre-existing Microsoft Intune licenses.
First of all, the Cumulative Update from April 11, 2023 (KB5025239) must be installed on our Windows 11 22H2 client.
Local built-in administrator account
In Windows 10/11 the local built-in administrator account is disabled by default. We could now reactivate it via script or alternatively create a dedicated local admin account. Since we do not want to customize any Windows 10/11 standard and the built-in account is easily traceable due to its known SID, the variant with the separate account is preferable in any case.
It is important to note that Windows LAPS would not automatically activate our built-in Administrator account for us, and neither is the dedicated Administrator account automatically created.
Create dedicated local admin account
There are several options available for creating a separate local administrator account with Microsoft Intune. The two most obvious are:
- Option 1: Use Microsoft Intune Custom OMA-URI Settings
- Option 2: Use Microsoft Intune Proactive Remediations Script
Option 1 is certainly the fastest and simplest variant and is therefore best suited for LAB testing. However, it has the disadvantage that the password can only be entered statically in the configuration profile. In a productive environment, option 2 is the preferred variant, since the password can be created dynamically using a random password. Also, with an additional proactive remediations script, the account could be removed from all or selected clients if necessary.
Since my esteemed colleague Nicola Suter has covered the Proactive Remediations Script variant in detail in his Windows LAPS blog and has also already provided the corresponding scripts, I choose variant 1 for my LAB testing. If you are interested in the second option, I recommend reading Nicola’s blog.
https://intune.microsoft.com – Devices – Configuration profiles – Create profile – Windows 10 and later – Templates – Custom
We need to define two OMA-URI settings. One to create the account. And one to add the user to the local administrator group.
|Value||Your Initial Password|
At the next sync the account will be created and added to the local administrator group:
Enable Azure AD Local Administrator Password Solution (LAPS)
Windows LAPS for Azure Active Directory can be enabled from either the Microsoft Entra admin center or Azure Active Directory Portal.
- https://entra.microsoft.com – Devices – Overview – Device Settings – Enable Azure AD Local Administrator Password Solutions (LAPS): Yes
- https://portal.azure.com – Azure Active Directory – Devices – Device Settings Enable Azure AD Local Administrator Password Solutions (LAPS): Yes
Creation of Microsoft Intune Windows LAPS Password Policy
Windows LAPS password settings can be easily configured via Endpoint Security in the Microsoft Intune Admin Center:
https://intune.microsoft.com – Endpoint security – Account Protection – Create Policy – Windows 10 and later – Profil: Local admin password solution (Windows LAPS)
Recover stored passwords
Passwords stored in Microsoft Azure can be retrieved using either the Microsoft Entra/Microsoft Intune/Microsoft Azure portal or Microsoft Graph API/PowerShell. In the portal, you can find the passwords in the Devices section, in the same place where the BitLocker keys can be retrieved.
On-demand password rotation
On-demand password rotation is possible either via the Microsoft Intune portal or directly locally on the client via Reset-LapsPassword PowerShell cmdlet (only possible with local admin rights).
Specific Windows LAPS event logs are available:
Event Viewer – Applications and Services Logs – Microsoft – Windows – LAPS
Audit logs are available via Microsoft Entra or Microsoft Graph API/PowerShell to monitor password update and retrieval events.
https://entra.microsoft.com – Monitoring & health – Audit Logs – Service: Device Registration Service
If log analytics is set up on the tenant, the events can also be easily evaluated with KQL.
AuditLogs | where OperationName in ('Recover device local administrator password', 'Update device local administrator password') | where Result == "success" | extend User = (parse_json(tostring(InitiatedBy.user)).userPrincipalName) | mv-expand TargetResources | extend Device = parse_json(TargetResources).displayName | project User, Device, OperationName,TimeGenerated
Implementing Windows LAPS for Azure Active Directory is a straightforward process and has been performing well during the Public Preview phase. There is room for improvement in terms of the dedicated local admin account implementation, which currently requires the use of a proactive remediations script.