You dont have javascript enabled! Please enable it! Step-by-Step – Windows LAPS With Microsoft Entra And Intune - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Step-by-Step – Windows LAPS With Microsoft Entra and Intune

10 Min. Read

Updated – 25/10/2023 – Windows Local Administrator Password Solution with Microsoft Entra ID is now Generally Available!

Managing local administrator accounts can be challenging, especially in large environments with numerous systems and multiple administrators. One of the significant challenges is ensuring that local administrator passwords are strong, unique, and regularly updated to prevent unauthorized access and potential security breaches.

Windows LAPS has been revamped to integrate into the Windows platform to securely rotate and backup passwords using Microsoft Entra ID (formerly Azure AD).

In this article, we will discuss Windows LAPS with Microsoft Entra and show you how to use it with Microsoft Intune.

What is LAPS (Local Administrator Password Solution)?

Many years ago, the Microsoft Local Administrator Password Solution (LAPS) was introduced as a solution to address local admin account challenges. It was initially described as a “sophisticated and efficient method for Active Directory domain-joined systems, which regularly assigns a new random and distinct value to each computer’s admin account password.”

As we all know, every Windows device comes with a built-in local administrator account that we must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. LAPS is a Windows feature that automatically manages and backs up the password of the local admin account. LAPS was designed to help you protect your devices from these kinds of attacks.

The LAPS solution stores passwords in a secured confidential attribute on the corresponding computer object in Active Directory, and only specifically authorized users can retrieve them. This requires extending the Active Directory schema using PowerShell.

LAPS Tab in Active Directory
LAPS Tab in Active Directory

Both legacy Microsoft LAPS and Windows LAPS can be managed with Group Policy, but Microsoft announced that they are making Windows LAPS available for both Entra ID (Azure AD) joined and hybrid Entra ID (Azure AD) joined devices.


If you plan to set up a Local Administrator Password Solution (LAPS) for your Intune tenant for the first time, it is important to note that it is a one-time process with specific prerequisites. To ensure that Intune can support Windows LAPS in your tenant, you need to meet the following requirements:

1. Licensing requirements

  • Intune subscription: Microsoft Intune Plan 1 is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.
  • Microsoft Entra ID: Microsoft Entra ID Free is the free version of Microsoft Entra ID that is included when you subscribe to Intune. With Microsoft Entra ID Free, you can use all the features of LAPS.

2. Active Directory Support

Intune policy for Windows LAPS can configure a device to back up a local administrator account and password to one of the following directory types:

  • Cloud: Cloud supports backup to your Microsoft Entra ID for the following scenarios: Microsoft Entra hybrid join and Microsoft Entra join.
  • On-Premises: On-premises supports backing up to Windows Server Active Directory (on-premises Active Directory).

3. Operating system updates

The following Windows OS platforms, with the specified update or later installation, are supported for implementing Windows LAPS:

Now, how to use Windows Local Administrator Password Solution with Microsoft Entra (formerly Azure AD)?

Turn On LAPS in Microsoft Entra

You can turn on LAPS with a tenant-wide policy in Entra ID using a single click in the Microsoft Entra admin center.

Sign in to the Microsoft Entra admin center, then under Azure Active Directory > Devices, select All Devices, and then click on Device settings. Scroll down to the Local administrator settings and then select ‘Enable Azure AD Local Administrator Solution (LAPS)‘ and hit ‘Save‘ as shown in the figure below.

Enable Azure AD Local Administrator Password Solution (LAPS)
Enable Azure AD Local Administrator Password Solution (LAPS)

Once you have enabled Windows LAPS with Entra ID, you need to configure the client-side policy and set the BackUpDirectory to Entra ID.

If you already have Microsoft Intune licenses, then you can use Intune to manage client-side policies (more on this in the next section), or you can use Group Policy Objects (GPO) to manage client-side policies.

Manage Windows LAPS using Microsoft Intune

The Intune LAPS policy enables the management of local administrator accounts on devices, though it only supports a single account per device. It is important to note that the Intune policy takes precedence over a policy deployed through Group Policy Object (GPO).

Utilizing Microsoft Intune for LAPS management can enhance security in remote help desk scenarios and facilitate the recovery of otherwise inaccessible devices.

To initiate the deployment of the LAPS policy, you need to access Microsoft Intune Admin Center and navigate to Endpoint security > Account protection. From there, choose the option to create a new policy.

Next, select the platform (Windows 10 or later), and then choose the Local admin password solution (Windows LAPS) profile and click Create.

Create Local admin password solution (Windows LAPS) Profile
Create Local admin password solution (Windows LAPS) Profile

Next, on the Basics tab provide a suitable name for the policy and then proceed to select the Configuration settings that align with your organization’s requirements. You can configure the following settings for LAPS:

* Backup Directory: You can use this setting to configure which directory the local admin account password is backed up to. The allowable settings are, Disabled (password will not be backed up), Backup the password to Azure AD only, Backup the password to Active Directory only, or Not configured.

* Password Age Days: You can use this policy to configure the maximum password age of the managed local administrator account. If not specified, this setting will default to 30 days This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD. This setting has a maximum allowed value of 365 days.

* Administrator Account Name: You can use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by a well-known SID (even if renamed). If specified, the specified account’s password will be managed. Note: if a custom-managed local administrator account name is specified in this setting, that account must be created via other means. Please note that specifying a name in this setting will not cause the account to be created.

* Password Complexity: You can use this setting to configure the password complexity of the managed local administrator account. The allowable settings are Large letters, Large letters + small letters, Large letters + small letters + numbers, Large letters + small letters + numbers + special characters, or Not configured.

* Password Length: You can use this setting to configure the length of the password of the managed local administrator account. If not specified, this setting will default to 14 characters. This setting has a minimum allowed value of 8 characters. This setting has a maximum allowed value of 64 characters.

* Post Authentication Actions: You can use this setting to specify the actions to take upon expiration of the configured grace period. If not specified, this setting will default to 3 (Reset the password and log off the managed account).

* Post-Authentication Reset Delay: You can use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If not specified, this setting will default to 24 hours. This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). This setting has a maximum allowed value of 24 hours.

Configure Windows LAPS Profile settings
Configure Windows LAPS Profile settings

Once done, you need to assign the policy to the desired users, groups, or devices, thus completing the deployment of LAPS with Intune.

// It’s recommended to assign the LAPS policy to device groups. When policies are assigned to user groups, they follow the user as they switch devices. This can lead to inconsistent behavior, such as uncertainty regarding which account the device backs up or when the password for managed accounts is scheduled for rotation.

Assign Windows LAPS Profile policy with Intune
Assign Windows LAPS Profile policy with Intune

Last, in Review + Create, review your settings and then select Create. When you select Create, your changes are saved, and the LAPS profile is assigned. The policy is also visible in the policy list, as shown in the figure below.

Endpoint security | Account protection policy list
Endpoint security | Account protection policy list

Once the LAPS profile is assigned, the helpdesk can view rotated passwords and manually rotate passwords.

// See Also: How to deploy Attack Surface Reduction (ASR) Rules to Windows Servers using Microsoft Intune.

View Passwords using Entra ID and Intune

To obtain the login password for a device, you have two options, you can either use Azure AD or Microsoft Intune.

In Azure AD, The Helpdesk admins can now view rotated passwords under the Devices | Local administrator password recovery blade in Azure AD or Microsoft Entra.

Locate the specific device within Azure AD or Microsoft Entra, click the “Local administrator password recovery” blade, select the local administrator password, and click “Show” or copy the password to the clipboard.

Show local administrator password in Entra ID
Show local administrator password in Entra ID

Using Microsoft Intune, you need to locate the specific device within Intune and then click on “Local admin password,” as shown in the figure below, then choose the option to “Show local administrator password,” allowing you to retrieve the current password for administrative access.

Show local administrator password in Intune
Show local administrator password in Intune

As described in the previous section, the LAPS policy incorporates a predefined schedule for automatically rotating account passwords using the “Password Age Days” settings. However, apart from the scheduled rotation, you have the option to manually rotate the password for a device using the Intune device action called “Rotate local admin password.” This manual rotation allows for independent password changes on the device, separate from the rotation schedule defined by the device’s LAPS policy.

Rotate the local admin password manually in Intune
Rotate the local admin password manually in Intune

That’s it, there you have it!

Role-Based Access Controls for LAPS

To manage LAPS, an account must have sufficient role-based access control (RBAC) permissions to complete a desired task. As a best practice, you should create a custom role to view LAPS passwords, and then manage that role with Privileged Identity Management (PIM).

The following are the available tasks for LAPS with their required permissions:

* Create and access LAPS policy – To work with and view LAPS policies, your account must be assigned sufficient permissions from the Intune RBAC category for Security baselines. By default, these are included in the built-in role of Endpoint Security Manager. To use custom roles, ensure the custom role includes the rights from the Security baselines category.

* Rotate local Administrator password – To use the Intune admin center to view or rotate a device’s local admin account password, your account must be assigned the following Intune permissions:

  • Managed devices: Read
  • Organization: Read
  • Remote tasks: Rotate Local Admin Password

* Retrieve local Administrator password – To view password details, your account must have one of the following Microsoft Entra ID permissions:


* View Microsoft Entra audit logs and events – To view details about LAPS policies and recent device actions, such as password rotation events, your account must have permissions equivalent to the built-in Intune role Read Only Operator.

To create custom roles that can grant these permissions, see Create and assign a custom role in Microsoft Entra ID in the Microsoft Entra ID documentation.


How much does it cost to use Windows LAPS in Entra ID?

LAPS is available for Free in Entra ID.

Is Microsoft Intune required to Manage Windows LAPS?

No. Suppose your devices are Entra ID joined, but you’re not using Microsoft Intune, or Microsoft Intune isn’t supported (like for Windows Server 2016/2019/2022). In that case, you can manually deploy and manage Windows LAPS for Entra ID using Group Policy.

How Windows LAPS is managed?

Windows LAPS with Azure AD management support using Group Policy Objects (GPO) for hybrid Azure AD joined devices ONLY. And for Entra ID join and hybrid Entra ID join (co-managed) devices. You can use Microsoft Intune or any other third-party MDM of your choice.

Please note that if your servers are domain-joined, then you also must have hybrid Azure Active Directory join configured in your environment (either through Federation or Azure AD Connect Sync), and Azure AD Connect Sync must include the device (server) objects in scope (OU) for synchronization with Azure Active Directory (when needed for join).

Configure Hybrid Entra ID join in Entra ID Connect
Configure Hybrid Entra ID join in Entra ID Connect

What happens when a device is deleted in Entra ID?

If a device is deleted in Entra ID, the associated LAPS credential and the password stored in Entra ID are lost. Unless a custom workflow is implemented to retrieve and store LAPS passwords externally, there is no built-in method in Entra ID to recover the LAPS-managed password for a deleted device.

What roles are needed to obtain LAPS passwords?

The permission to get and obtain LAPS passwords is granted to certain built-in roles in Azure AD, including Global Administrator, Cloud Device Administrator, and Intune Administrator.

What is the difference between Windows LAPS and Microsoft LAPS?

Windows LAPS incorporates several design concepts from the legacy Microsoft LAPS. If you are acquainted with the legacy Microsoft LAPS, you will find many familiar features in Windows LAPS. However, a significant distinction is that Windows LAPS is a distinct implementation integrated directly into the Windows platform.

Additionally, Windows LAPS introduces numerous features not present in the legacy Microsoft LAPS. With Windows LAPS, you can securely back up passwords to Azure Active Directory, encrypt passwords within Windows Server Active Directory, and maintain a record of your password history.

You can still download an earlier version of Local Administrator Password Solution, legacy Microsoft LAPS.

Can we migrate Microsoft LAPS to Windows LAPS?

Windows Local Administrator Password Solution can be configured to respect the Group Policy settings from the legacy Microsoft LAPS, albeit with certain restrictions and limitations. This functionality is referred to as the “legacy Microsoft LAPS emulation mode.”

Emulation mode can be utilized when migrating an existing deployment of the legacy Microsoft LAPS. Please refer to the official documentation to plan your migration.

Can I run Microsoft LAPS and Windows LAPS side-by-side?

You may need to implement a more gradual migration procedure from legacy Microsoft LAPS to Windows LAPS as a transient side-by-side coexistence approach.

Please note that with this approach, it’s necessary to create a second local admin account since Microsoft does NOT support having both a Windows LAPS policy and a legacy LAPS policy targeting the same account.

In this scenario, the second local admin account would be exclusively managed by Windows LAPS, not legacy LAPS so that the password can go straight into Entra ID. If you try to manage the same account with Windows LAPS and the legacy MSI is still installed, then it will fail.

Once you have a new local admin account in Entra ID, you can start the decommissioning process for the Legacy MSI LAPS (Monitor, Remove policy, and uninstall legacy MSI LAPS) as Microsoft described in this guide.

How to mitigate abuse in Windows LAPS?

You gave a Windows LAPS password to a” user. What prevents the user from putting his own account into the group of local admins?

Through Microsoft Intune, you could leverage the new Policy CSP – LocalUsersAndGroups with restricted groups, which is available through the Account Protection menu. This setting allows you to manage local groups on a Device.

Configure local user group membership in endpoint security
Configure local user group membership in endpoint security

Make sure you use a (Replace) setting versus an (Update) in the account protection policy (configuration settings). And make sure the policy sets the managed account so it doesn’t get wiped out.

Can we retrieve Entra LAPS Password history?

Yes. The Microsoft Entra and Intune portal only shows the most recent password. However, Entra stores LAPS password history, so if you do many snapshots and reverts for testing, the PowerShell command below will show you all the Windows LAPS passwords and when they changed.

#! Get Entra LAPS Password History
$deviceName = 'xyz-123'
(Get-MgDirectoryDeviceLocalCredential -deviceLocalCredentialInfoId (Get-MgDevice -Filter "DisplayName eq '$deviceName'").DeviceId -Property credentials).credentials

(Get-MgDirectoryDeviceLocalCredential -deviceLocalCredentialInfoId (Get-MgDevice -Filter "DisplayName eq '$deviceName'").DeviceId -Property credentials).credentials `
 | ForEach-Object { $_.BackupDateTime,[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_.PasswordBase64)) }

Conclusion and Final Thoughts

LAPS is the management of local account passwords on Windows devices. LAPS provides a solution to manage and retrieve the built-in local admin password securely. With the cloud version of LAPS, you can enable storing and rotation of local admin passwords for both Entra ID and Hybrid Entra ID join devices.

Combining LAPS with Intune is a potent combination that can effectively enhance the security of your Windows devices. This combination allows organizations to manage local administrator passwords through LAPS while enforcing policies and centralizing management through Intune. By doing so, organizations can reduce the risk of unauthorized access and strengthen their security posture.

In this article, we have delved into the LAPS solution, the requirements and advantages of configuring it with Intune, and the steps to implement LAPS with Intune. We hope this guide will be helpful for all Intune and Entra administrators looking to implement LAPS for their organization.

Thank you for reading our blog.

If you have any questions or feedback, please let us know in the comments section below.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

Getting Started With Microsoft Defender for DevOps – Comprehensive Guide

5 Disciplines of Cloud Governance


2 thoughts on “Step-by-Step – Windows LAPS With Microsoft Entra and Intune”

Leave a comment...

Let us know what you think, or ask a question...