The best Microsoft 365 tips on the web

This is how to activate and use Windows LAPS in Microsoft Entra

Many organizations use local administrator accounts on workstations and servers to perform management activities. The problem is that these accounts often have static passwords that are rarely changed, which can compromise organizational security. One possible solution to this is to implement Local Administrator Password Solution (LAPS).

LAPS is a tool from Microsoft that automates and improves the management of local administrator accounts. With LAPS, each workstation or server can automatically generate a unique password for the local administrator account and store it in Azure Active Directory. This password is automatically changed at a predetermined interval, improving organizational security.

To display the local administrator password for a Windows device that is a member of Azure AD, you must be granted deviceLocalCredentials.Read.All authorization and assigned one of the following roles.

Cloud device administrator
Intune service administrator
Global administrator

Microsoft's minimum system requirements to use LAPS

Windows 10 20H2 or later
Windows 11 21H2 or later
Windows Server 2019 or later

This is the Windows Local Administrator Password solution within Microsoft Entra (Azure AD)

Navigate to: https://endpoint.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/accountprotection

Under LAPS, select Backup Directory

Choose whether you wish to activate LAPS on a group, list of users or devices.

Then go to Device Settings to activate Local Administrator Settings (LAPS)

Last, activate LAPS within Device Settings in Azure Active Directory.

Navigate to: https://portal.azure.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/DeviceSettings/menuId~/null and activate LAPS at the bottom.

0 0 vote
Article review
Please let us know if there are

Inline feedbacks
See all comments
Would love to know your thoughts, please leave a comment.x