Site icon Windows Active Directory

How to configure Windows LAPS via Azure AD

This blog will guide you through setting up Windows Local Administrator Password Solution (LAPS) smoothly with Azure Active Directory (AD). We’ll take you through each step, making sure your system is updated with the newest Microsoft Intune features for easy management.

Intune, short for Microsoft Intune, is a cloud-based service that enables organizations to manage devices, applications, and users’ access to corporate resources. It offers comprehensive device management capabilities, including remote configuration, monitoring, and security enforcement for various endpoints, such as Windows, macOS, iOS, and Android devices.

With Intune support for Windows LAPS, you can configure and manage the local admin passwords on devices seamlessly by leveraging the Windows LAPS CSP.

Key functions of Intune LAPS policy:

Getting started

 Enable Windows LAPS in Azure AD 

  1. Login to the Azure portal at https://portal.azure.com/

  2. Click ‘Devices’ on the left hand side.

  3. Select ‘Device settings’ from the menu.

  4. Locate the option labeled ‘Enable Azure AD Local Administrator Password Solution (LAPS)’.

  5. Toggle switch to ‘Yes’.

  6. Click on ‘Save’ to apply the changes.

 Creating a LAPS Policy 

Follow these steps to create a LAPS policy using the Intune admin center:

  1. Go to Intune admin center

  2. Sign in to the Microsoft Intune admin centre

  3. At the left pane of your screen click ‘Endpoint security’.

  4. Click ‘Account protection’.

  5. Click on create Policy.

  6. Select platform (Choose Windows 10 and later).

  7. Select profile (Windows local admin password solution).

  8. Specify settings (Such as backup directory type).

  1. Apply relevant scope tags as needed.

  2. Select appropriate groups to receive the policy (Preferably device groups for consistency).

  3. Verify the settings are correct.

  4. Click create to have this policy.

 Viewing device actions status 

Monitor LAPS device action requests by the device status in the Intune admin center:

  1. Go to devices.

  2. Click all devices.

  3. Click the device to view its overview panel.

  4. Check device actions status to track completed and pending actions, including password rotations.

Viewing account and password details 

Accessing account and password details requires appropriate Microsoft Entra permissions.

  1. Navigate to devices.

  2. Click all devices.

  3. Select device.

  4. Click monitor.

  5. Choose local admin password.

  6. On windows, permissions permitting, look for account name, security ID and last/next times of password rotation.

 Manually rotating passwords 

In addition to scheduled rotations, manually rotate passwords using the Intune device action

  1. Go to devices.

  2. Click all devices.

  3. Select windows device.

  4. Expand and choose “Rotate local admin password”.

  5. Confirm this action.

  6. Now monitor the process until completion.

 Avoiding policy conflicts 

Avoiding policy conflicts ensures consistent security measures, streamlines management processes, and enhances system reliability. By preventing conflicts, organizations maintain compliance, optimize efficiency, and deliver a seamless user experience. To prevent conflicts and ensure smooth policy management

Now after reading this blog, you will now have an optimal environment for configuring and managing Windows LAPS policies in Azure AD using Microsoft Intune and thereby improve security and ease of administration across your management estate.

Exit mobile version