Activate Windows LAPS in Azure AD (Microsoft Entra ID)

August 30, 2023

Share This Post

Introduction to Windows LAPS and Azure AD

In the dynamic realm of IT security and management, ensuring the protection of sensitive information is of utmost importance. Among the vital aspects of this endeavor is the secure handling of administrator passwords. This is precisely where Windows Local Administrator Password Solution (LAPS) steps in as a potent tool, streamlining the management of local administrator passwords on Windows devices.

Traditionally, the use of static and uniform administrator passwords has posed a significant security risk. In cases where these passwords are leaked or compromised, the potential for unauthorized access to computers arises. Windows LAPS introduces a paradigm shift by generating, managing, and resetting local administrator passwords for each device, thus significantly mitigating the risk associated with a single compromised password jeopardizing the entire organization’s security.

Taking this security strategy further, integrating Windows LAPS with Azure Active Directory (Microsoft Entra ID) yields even greater advantages. By leveraging Azure AD as the central hub for storing and managing LAPS passwords, you harness the scalability, authentication strength, and advanced security features of the cloud. This integration facilitates consistent and seamless management of administrator passwords across the organization, irrespective of the geographical location of your Windows devices.

Integration Benefits: Integrating Windows LAPS with Azure AD brings forth an array of benefits that elevate your security and management efforts:

Centralized Management: With LAPS activated in Azure AD, password rotation management becomes centralized, streamlining the security management process for both on-premises and cloud-connected devices.
Remote Device Fortification: The prevalence of remote work emphasizes the need for secure devices beyond traditional office networks. LAPS plays a crucial role in safeguarding remote devices, curtailing the risk of unauthorized access.

Table of Contents

Prerequisites

Before embarking on this journey, ensure you have the following in place:

An Azure subscription – Your ticket to the cloud
Windows Server environment (for hosting LAPS) – Your password stronghold
Windows clients to manage – The subjects of password management
Administrative access to both Azure and on-premises environments – Your backstage pass to Azure and local zones

Azure roles required to enable Windows LAPS in Azure AD:

Global Administrator
Cloud Device Administrator
Global Reader
Directory Reader

Step-by-Step Activation: Windows LAPS for Azure AD (Microsoft Entra ID)

Let’s walk through the process of activating Windows LAPS for your Azure AD:

Here’s the roadmap to enable Windows LAPS in your Azure AD environment:

Log in to Azure Portal: Use your administrator credentials to access the Microsoft Azure portal.

Navigate to Azure Active Directory: Once logged in, navigate to the Azure Active Directory (AD) section.

Access the Devices: On the left-hand sidebar, click on “Devices.”

Device Settings: In the ensuing sub-menu, select “Device settings.”

Enable LAPS: Within the “Local administrator settings (preview)” section, find the option to “Enable Azure AD Local Administrator Password Solution (LAPS).” Opt for “Yes” to initiate LAPS.

Save Your Changes: After enabling LAPS, ensure you hit the “Save” button at the top of the screen.

Wait for Propagation: Give it time for the changes to disseminate to all Azure AD devices. The duration hinges on the number of devices within your organization.

LAPS Activation Complete: Once the changes have permeated, LAPS is ready for action across your Azure AD devices. Employ LAPS to proficiently manage local administrator passwords.

Configuring Windows LAPS Settings

Now that Windows LAPS is active, you can adjust its settings to suit your organization’s security needs.

Here’s how to set up Windows LAPS policies:

Access the Microsoft Intune Admin Center: Navigate to the Microsoft Intune admin center.
Create or Modify Policies: Within the Intune admin center, head to “Endpoint Security,” then “Account Protection.” You can either create a new policy or incorporate LAPS settings into an existing one.
Creating a Policy: To create a new policy, simply click on “Create policy.” For an existing policy, find it and proceed with editing.

Example Policy for Windows LAPS in Azure AD (Microsoft Entra ID)

Envision a snapshot of what a Windows LAPS policy could look like in your Azure AD environment 👇

By customizing these settings, you can boost your organization’s security while enjoying the automated convenience that Windows LAPS provides.

In Conclusion

By following this guide, you’ve successfully integrated Windows LAPS with Azure AD, bolstering your security efforts by effectively managing local administrator passwords across your Windows systems. Remember that security is an ongoing process, so stay vigilant and keep up with best practices to ensure your environment remains secure.

Remember, while this guide provides a comprehensive overview, always refer to the official Microsoft documentation for the latest updates and in-depth instructions : Get started with Windows LAPS and Azure Active Directory | Microsoft Learn

Want to learn more on how we work with IT-security? Follow this link

More To Explore

Windows 11

Windows 11 update: Windows Co-Pilot and CloudBackup

Introduction Microsoft confirmed in a blogpost that the upcoming Windows 11 update will be labeled 22H2 instead of the anticipated 23H2 update. As the latest

September 25, 2023

Identity & Security

Optimizing Administrator Accounts and Licensing for Data Security and Cost Efficiency

Balancing Administrator Accounts and Licensing IT managers worldwide face daily challenges in streamlining their infrastructure while maintaining high security. One of the areas where these

September 19, 2023

Cloud Transformation

Create and Manage Azure VM Images for Efficient Cloud Infrastructure

In this blog post, we will delve into virtual machine images in Azure and how they can be used to streamline and automate the management

September 14, 2023