Setup Prerequisites for Windows LAPS in Azure AD

By now you may have seen a lot of updates and posts on how to configure Windows LAPS in Azure AD. Credit goes to all the wonderful gurus out there who really contribute to the community in different ways.

My approach in this post is to prepare for the Windows LAPS in Azure AD so you can go from there. What licenses do you require? Permissions setup and etc.

Another step in minimizing the on-premises footprint, Windows LAPS has been introduced in Azure AD (in Public Preview at the time of writing) This is my take on how to use LAPS in Azure AD.

Some important notes before I jump into the configuration steps

What I will be covering?👇🏽

Prepare Licensing

Make sure you have the relevant license assigned. Windows LAPS in AAD is available starting from Azure AD free tier.

However, if you are using the below make sure you have the proper license assigned

  • Admin Units/ CA Policies —-> Azure AD Premium P1
  • Intune Policy creation and assignment —> Intune license

Prepare Permissions

Straight off the bat, you can use a few in-built RBAC permission types

I will be going by the least privileges required.

  • Enable LAPS in Azure AD (Entra) portal —> Cloud Device Administrator
  • Recovering local administrator password —> Cloud Device Administrator or Intune Service Administrator or Global Administrator
  • Roles are needed to recover LAPS passwords —> Global Administrator, Cloud Device Administrator, and Intune Administrator.
  • Roles are needed to read LAPS metadata —> Global Administrator, Cloud Device Administrator, Intune Administrator, Helpdesk Administrator, Security Reader, Security Administrator, and Global Reader.

Custom RBAC

You can set up custom RBAC if you want to make sure you provide only LAPS related access to the admins. Below settings are the permissions to choose

  • To read LAPS metadata:
  • To read LAPS passwords:

Note: During the preview, you must create a custom role and grant permissions using the Microsoft Graph API or PowerShell. Once you have created the custom role, you can assign it to users

Prepare Admin Units

While you can allow the RBAC admins to access Windows LAPS features, make sure you use Admin Units to scope your permissions in a more granular manner. In this way, you can scope it out so the right admin would get access to the set of devices that they can do the LAPS operations.

Enable Default Local Admin Account for AADJ Devices

This part is important if you are planning to set up Windows LAPS in Azure AD Joined devices. This will enable the Local Administrator’s default account on the device.

Go to the Intune Portal > Devices > Configuration > Policies > Create Policy >

Platform: Windows 10 and later
Profile Type: Settings Catalog

Add Device Administrators as additional local administrators on all Azure AD Joined devices – Optional

Click on the link Manage Additional local administrators on all Azure AD joined devices

And assign the policy to the devices that are AAD Joined.

Wrapping Up

I believe you have a good understanding of what needs to be done prior setting up Windows LAPS in Azure AD. Once these prereqs are done, you can go ahead and enable the feature in Azure AD and setup the Intune Account Protection policies to work with LAPS.


One thought on “Setup Prerequisites for Windows LAPS in Azure AD

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.