How to configure Windows LAPS via Azure AD

This blog will guide you through setting up Windows Local Administrator Password Solution (LAPS) smoothly with Azure Active Directory (AD). We’ll take you through each step, making sure your system is updated with the newest Microsoft Intune features for easy management.

Intune, short for Microsoft Intune, is a cloud-based service that enables organizations to manage devices, applications, and users’ access to corporate resources. It offers comprehensive device management capabilities, including remote configuration, monitoring, and security enforcement for various endpoints, such as Windows, macOS, iOS, and Android devices.

With Intune support for Windows LAPS, you can configure and manage the local admin passwords on devices seamlessly by leveraging the Windows LAPS CSP.

Key functions of Intune LAPS policy:

• Quickly create and deploy LAPS policies to devices through the Intune admin centre.

• Access local admin account details for devices under management.

• Rotate passwords manually for enhanced security.

• Reports to monitor LAPS policy effectiveness.

Getting started

• Role-based access control (RBAC) permissions required for managing LAPS policies.

• Windows 10 or newer devices.

• Active Azure AD tenant with Microsoft Intune configured.

• Adequate permissions to manage LAPS policies within Intune such as Global Administrator, Intune Administrator, or any custom role with permissions specifically granted to manage device configuration profile

 Enable Windows LAPS in Azure AD 

1. Login to the Azure portal at https://portal.azure.com/

2. Click ‘Devices’ on the left hand side.

3. Select ‘Device settings’ from the menu.

4. Locate the option labeled ‘Enable Azure AD Local Administrator Password Solution (LAPS)’.

5. Toggle switch to ‘Yes’.

6. Click on ‘Save’ to apply the changes.

 Creating a LAPS Policy 

Follow these steps to create a LAPS policy using the Intune admin center:

1. Go to Intune admin center

2. Sign in to the Microsoft Intune admin centre

3. At the left pane of your screen click ‘Endpoint security’.

4. Click ‘Account protection’.

5. Click on create Policy.

6. Select platform (Choose Windows 10 and later).

7. Select profile (Windows local admin password solution).

8. Specify settings (Such as backup directory type).

9. Apply relevant scope tags as needed.

10. Select appropriate groups to receive the policy (Preferably device groups for consistency).

11. Verify the settings are correct.

12. Click create to have this policy.

 Viewing device actions status 

Monitor LAPS device action requests by the device status in the Intune admin center:

1. Go to devices.

2. Click all devices.

3. Click the device to view its overview panel.

4. Check device actions status to track completed and pending actions, including password rotations.

Viewing account and password details 

Accessing account and password details requires appropriate Microsoft Entra permissions.

1. Navigate to devices.

2. Click all devices.

3. Select device.

4. Click monitor.

5. Choose local admin password.

6. On windows, permissions permitting, look for account name, security ID and last/next times of password rotation.

 Manually rotating passwords 

In addition to scheduled rotations, manually rotate passwords using the Intune device action

1. Go to devices.

2. Click all devices.

3. Select windows device.

4. Expand and choose “Rotate local admin password”.

5. Confirm this action.

6. Now monitor the process until completion.

 Avoiding policy conflicts 

Avoiding policy conflicts ensures consistent security measures, streamlines management processes, and enhances system reliability. By preventing conflicts, organizations maintain compliance, optimize efficiency, and deliver a seamless user experience. To prevent conflicts and ensure smooth policy management

• Understand how conflicts arise and their impact on device settings.

• Resolve conflicts by adjusting policy assignments or configurations as needed.

Now after reading this blog, you will now have an optimal environment for configuring and managing Windows LAPS policies in Azure AD using Microsoft Intune and thereby improve security and ease of administration across your management estate.