How to Implement and Manage Windows LAPS for Microsoft Entra ID

Deep Dive: Implementing and Managing Microsoft LAPS for Entra ID

Managing local admin passwords across hundreds (or thousands) of Windows devices can be a security nightmare. Password reuse, weak passwords, and never-changing credentials open the door for lateral movement and attacks. That’s where Windows LAPS (Local Administrator Password Solution) comes in—especially now that it integrates with Microsoft Entra ID (Azure AD).

This post breaks down what Windows LAPS does, why it’s crucial, and how to deploy it for cloud, hybrid, and on-prem environments—with practical tips for secure rollout and password management.

What Is Windows LAPS for Microsoft Entra ID?

Windows LAPS automates the creation and rotation of local administrator passwords on Windows devices. Instead of a single “admin123” floating around your organization for years, LAPS ensures every Windows device has a unique, strong password for its local admin account—and those passwords are backed up securely in Microsoft Entra ID (formerly Azure AD). LAPS also supports hybrid and on-premises Active Directory deployments.

Security Benefits

  • Prevents lateral movement: Attackers can’t use a compromised password to access multiple devices.
  • Stops pass-the-hash attacks: Frequently changing, unique passwords make credential theft much harder.
  • Auditable recovery: Authorized roles can see when passwords are set, viewed, or rotated.
  • Centralized, encrypted storage: Credentials are backed up and protected in Entra ID or AD, not on disk.

Supported Deployment Models

  • Entra-joined devices: Passwords are stored in Microsoft Entra ID.
  • Hybrid join: Devices can sync with both cloud and on-premises directories.
  • On-prem AD join: Passwords backed up to Active Directory.
  • Manual configuration: For advanced needs, registry edits and PowerShell set up and rotate passwords directly.

Configuring LAPS for Microsoft Entra ID

Method 1: Microsoft Entra Admin Center

  1. Sign in to entra.microsoft.com
  2. Navigate: Identity → Devices → Device settings
  3. Find and set Enable Microsoft Entra Local Administrator Password Solution (LAPS) to Yes
  4. Click Save

This turns on tenant-wide LAPS capabilities for all Entra-joined Windows devices.

Method 2: Intune Endpoint Security

  1. Go to: Endpoint security → Account protection → + Create policy
  2. Select Platform: Windows 10 and later
  3. Pick Profile: Local admin password solution (Windows LAPS)
  4. Configure key settings:
    • Backup Directory: Entra ID (recommended for cloud and hybrid)
    • Password Age Days: 7–365 days (how often passwords rotate)
    • Password Complexity: Include uppercase, lowercase, numbers, symbols
    • Password Length: Choose 8–64 characters
    • Administrator Account Name: Specify, or use the default (Administrator)
    • Post Authentication Actions: Options like password reset, log off, reboot after use
    • Reset Delay: Set a window (0–24 hours) to delay rotation post-auth.
  5. Assign the policy to device groups (never just user groups)
  6. Review and Create

Intune pushes the LAPS configuration to targeted devices automatically.

Method 3: Group Policy (GPO)

Hybrid environments can still use traditional Group Policy, especially for legacy Windows management. Configure LAPS settings in GPO, point devices to the right backup directory (AD/Entra), and ensure policies deploy to all target devices.

Method 4: Registry or PowerShell

For advanced and custom deployments, you can manually set registry keys or run PowerShell commands to activate and configure LAPS client settings. This approach is mainly used for troubleshooting or specialized scenarios.

Role-Based Access Control (RBAC) Essentials

Viewing, retrieving, and rotating LAPS passwords requires proper permissions:

  • Entra permissions: Assign DeviceLocalCredential.Read.All to admins needing access to credentials.
  • Intune RBAC roles:
    • Managed devices: Read (to view devices)
    • Remote tasks: Rotate Local Admin Password (to force password changes)
  • For niche access, build custom RBAC roles to match organizational needs.

Only authorized users should ever access or rotate passwords, and logging/auditing will record all access events.

Managing Passwords: Retrieval & Rotation

  • Use the Intune Admin Center or Microsoft Graph PowerShell:
    • Get-LapsAADPassword to retrieve the current local admin password for a device
    • Reset-LapsPassword to manually rotate the password
  • All passwords are encrypted and viewable only by those granted proper permissions.

Best Practices & Testing

  • Test on non-production devices first: Validate your policy application and access controls.
  • Set rotation frequency (Password Age Days) based on risk level: More frequent rotation for devices facing external threats.
  • Regularly review access logs: Ensure only authorized personnel are retrieving or rotating credentials.
  • Combine LAPS with other endpoint security policies: For layered defense against credential attacks.

Resources & Further Reading

Microsoft LAPS for Entra ID isn’t just a box to tick—it’s a critical control to eliminate static local admin passwords, lock down your endpoints, and ensure compliance. When deployed right, it provides security that’s invisible to users but powerful for IT admins.

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Related Posts

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by