Enable Windows LAPS with Azure AD

• Author
• Recent Posts

Mohammed Kaif Joey

Mohammed Kaif is an MCSE®, Microsoft 365, and Azure Cloud Certified IT Consultant with over 17 years of experience in enterprise client management. He is currently working as a Technical Architect, providing modern workplace solutions to several clients.

Latest posts by Mohammed Kaif Joey (see all)

• Enable Windows LAPS with Azure AD - Tue, Jul 11 2023
• Security with Intune: Endpoint Privilege Management - Fri, Apr 28 2023

Windows LAPS is designed to help improve security by reducing the risk of a compromised local administrator password being used to gain unauthorized access to Windows devices on a network. It can also help simplify the management of local administrator passwords, reducing the need for manual password changes and ensuring that passwords are always strong and unique.

Windows LAPS addresses a security concern in which local administrator passwords are identical across all devices by automatically creating unique passwords for each device. Organizations can choose to save these passwords securely, either in Active Directory or Azure AD. In this article, you will learn if and how you can enable Windows LAPS with Azure AD.

Prerequisites for using Windows LAPS with Azure AD

Before setting up Windows LAPS with Azure AD, ensure that you meet the following requirements:

Azure Active Directory licensing: There are no license requirements for using LAPS with Azure AD.

Intune licensing: An Intune license is required to manage LAPS with Azure AD.

Windows requirements: Windows devices installed with April 2023 updates or later are supported for the implementation of Windows LAPS.

AD member requirements: Only Azure Active Directory and hybrid joined devices are supported; workplace-joined devices are not supported.

Privileges: You need to have one of the following roles in Azure AD: Global Administrator, Cloud Device Administrator, or Intune Administrator.

Note: After installing the April update, you should not add the legacy Microsoft LAPS to the system under any circumstances because this might break both versions, which requires either uninstalling legacy LAPS or deleting all registry values under the below registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State

If the presence of legacy LAPS is detected, Windows LAPS will automatically run in Emulation mode with limited functionality.

Benefits of enabling Windows LAPS with Azure AD

Accessibility: With Azure AD enabled, you can access Windows LAPS from anywhere without VPN, making remote management more convenient.

Scalability: Azure AD provides scalability, allowing you to easily manage a large number of systems using Windows LAPS.

Automatic updates: Azure AD ensures that your Windows LAPS is always updated, reducing vulnerability to security risks.

Disaster recovery: Azure AD provides robust disaster recovery capabilities, safeguarding your Windows LAPS against potential data loss.

Downsides of enabling Windows LAPS with Azure AD

Complexity: Implementing Azure AD can be complex and may require a steep learning curve for IT teams not familiar with the platform.

Cost: You'll require an Intune license.

Dependency on internet connection: Azure AD requires an internet connection for authentication. If your internet service is down, it can cause disruption in accessing your Windows LAPS.

Data privacy concerns: While Azure AD and Intune have robust security measures, some organizations may be uncomfortable storing security-related data on a third-party platform.

Implementation guide

As mentioned earlier, this guide will focus on enabling Windows LAPS with Azure AD, not the legacy Microsoft LAPS. If you are interested in migrating from the legacy version to Windows LAPS, refer to Microsoft's documentation.

Enabling Windows LAPS with Azure AD requires three steps:

1. Create a local admin account or enable the built-in admin account.
2. Enable LAPS in Azure AD.
3. Create the Intune configuration profile for LAPS.
4. Assign the policy to devices.

Create a local admin account

You can either choose to enable the built-in Administrator account or create a new local admin account to be used with LAPS. Here, I will explain how to create a custom local user account that will be used as the LAPS Admin account.

1. Log in to Microsoft Intune admin center.
2. Go to Devices > Configuration profiles > Create profile.
3. For Platform, select Windows 10 and later.
4. For Profile type, select Templates.
   

   Custom configuration profile template

5. Provide a suitable name and description for the policy, and click Next.
   

   Create a new local user

6. Click the Add button to add OMA-URI settings and provide the following details:
   1. Name: Create Local User Account
   2. OMA-URI: /Device/Vendor/MSFT/Accounts/Users/lapsadmin/Password
   3. Data type: String
   4. Value: T3mpAdm1n$
   

   OMA URI settings for local users

7. Click the Add button again to add OMA-URI settings and provide the following details:
   1. Name: Add user to Built-in Administrator group
   2. OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/lapsadmin/LocalUserGroup
   3. Data type: Integer
   4. Value: 2
   

   OMA URI settings to add the user to a group

8. Click Next.
9. Assign the policy to an Azure AD security group that contains users or devices where this device configuration profile needs to be deployed.
10. Click Create to create the policy.

This policy will now create a local user named lapsadmin and add it to the built-in Administrators group (as shown below).

Local user created and added to the Administrators group

Enabling LAPS in Azure AD

The first step is to toggle on LAPS in AAD.

1. Log in to Azure Active Directory.
2. Go to Devices > Device Settings.
3. Toggle Yes on Enable Azure AD Local Administrator Password Solution (LAPS)
4. Click Save.
   

   Enabling LAPS in Azure AD

Create the Intune Configuration Profile for LAPS

Now let's create the policy for LAPS in Intune.

1. Open the Intune console.
2. Navigate to Endpoint Security > Account Protection.
3. Click Create Policy.
4. Choose Windows 10 and later for Platform and select Local admin password solution (Windows LAPS).
5. Click Create.
   

   Creating the LAPS policy in Intune

6. Provide a suitable name, such as 'LAPS Policy', and click Next.
7. Configure the policy; options are explained below:
   1. Backup Directory: Choose "Backup the password to Azure AD only."
   2. Password Age Days: Set this to 7 days (default). The value must be between 7 and 365 days.
   3. Administrator Account Name: Type the name of the local account you created in the first step here.
   4. Password Complexity: The default is "Large letters + small letters + numbers + special characters." If you want a simple password, you can change it by choosing the options in the dropdown list.
   5. Password Length: You can set this from 8 to 64 characters. I have chosen 18.
   6. Post Authentication Actions: This sets the time limit for a LAPS password before the password is reset. This prevents someone from using the LAPS password indefinitely. You can choose the appropriate option, as shown below:
      1. Reset password: At the end of the grace period, the managed account password will be reset.
      2. Reset the password and log off the managed account: At the end of the grace period, the managed account password will be reset, and any interactive logon sessions using the managed account will be terminated. This is the default behavior.
      3. Reset the password and reboot: At the end of the grace period, the managed account password will be reset, and the managed device will be immediately rebooted.
      4. Post Authentication Reset Delay: Sets the delay in hours before the actions above are executed. If not specified, this setting will default to 24 hours.
         Note: I have not configured any post authentication actions or reset delays, but feel free to explore these options.
         

         LAPS policy settings

8. Click Next.
9. Assign the policy to an Azure AD Security group that contains users or devices where this device configuration profile needs to be deployed.
10. Click Create to create the policy.

Validating the LAPS deployment

You can validate that the LAPS policy has been applied to the client device from the following Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\

The following registry entries are created by Intune:

• AdministratorAccountName: lapsadmin
• BackupDirectory: 1
• PasswordAgeDays: 7
• PasswordComplexity: 4
• PasswordLength: 18
• PostAuthenticationResetDelay: 0

LAPS registry keys

Note: Windows LAPS uses a background task that runs every hour to check whether the password has expired. If it expires, the password will be reset, and the new password will be updated in Azure AD.

Retrieving the LAPS admin password

The LAPS admin account password is stored in both Intune and Azure AD, so we can retrieve it from both portals.

Retrieve password with Intune

1. Log in to the Intune portal.
2. Go to Devices > All Devices.
3. Click the device that is targeted by the Windows LAPS policy.
4. On the left-hand side, under Monitor, find the Local admin password option.
5. Click Show local administrator password.
   

   Retrieving the password from Intune

6. Click Show to check the password in plain text.
   

   Show password option

Retrieve password with Microsoft Entra

1. Log in to the Entra admin center (or Azure AD Portal).
2. Go to Devices > All devices.
3. Click the Local administrator password recovery (Preview) option on the left side, and then click the Show local administrator password option for the device for which you want to retrieve the password.
   

   Retrieving the password from AAD

Sign in with the LAPS admin account

Once you retrieve the password, you can log in to the managed device using .\<local account name> as the username and using the LAPS password.

Signing in with the LAPS admin account

Force rotation of the LAPS admin password

As the local admin account is now managed by Intune, the password is automatically rotated based on the setting configured for Password age days, which in this case is every seven days.

However, the password can also be manually rotated by an administrator in the event of a security breach in which the local admin password is compromised.

1. Log in to the Intune portal.
2. Go to Devices > Windows > select the required device.
3. Click the three dots in the top menu, and then select Rotate local admin password.
   

   Manual password rotation

Auditing LAPS

LAPS activities can be audited from Azure AD. From the Azure AD portal, navigate to Devices > Audit Logs. Then search for Update device local administrator password or Recover device local administrator password to view the audit events.

Accessing the audit logs

Conclusion

Enabling Azure AD in Windows LAPS through Intune offers various benefits with regard to accessibility, scalability, automatic updates, and disaster recovery for managing local admin passwords. However, it's important to note that this feature is currently in public preview. The utilization of Azure's role-based access control ensures that access to clear-text passwords is restricted to authorized individuals holding specific administrative roles, such as Global Administrators, Cloud Device Administrators, and Intune Administrators.