Windows LAPS (Local Administrator Password Solution) is an easy to use solution provided by Microsoft to manage local administrator account on Windows devices. If you have your organization devices enrolled into Microsoft Intune and Azure AD then you can use my step by step guide on How To Implement Windows LAPS Using Intune.
You can backup managed local administrator account password to either Azure Active Directory or on-prem Active directory. The password would be stored with the device object.
For any troubleshooting scenario, you or any member of helpdesk may require the password of local administrator account. There are different ways to view the local admin account password.
You could use Microsoft Intune admin center or Microsoft Entra portal to view the password or you can use Powershell cmdlets to view the password of local admin user account for any device.
In this blog post, I will only show you how to retrieve managed local admin user account password using Powershell. If you want to know about different options to retrieve local admin password using GUI method then you can click on the following link and follow the given steps: how to retrieve laps managed local admin password and refer to “How to retrieve LAPS managed Local admin Password” section.
Create Azure AD app registration
First step is to create an application in Azure AD which we will use to access / read managed local admin account password stored in Azure AD. You will need to provide permissions to this Azure AD app so that this app can read the device object details.
You will need to provide below permissions to this app:
If you want to retreive the password then you will need
DeviceLocalCredential.Read.All permission. Providing just
DeviceLocalCredential.ReadBasic.All permission to the app will not let you see the password.
Using DeviceLocalCredential.ReadBasic.All permission, you can only check like when the password was backed up to Azure AD and expiration time of the password etc.
- Login on Microsoft Azure portal
- Search for Azure Active Directory and find App registrations under Manage
- Click on + New registration
- Provide the Name of App as WindowsLAPS_app (you can provide any other app name as you like)
- Click on Register
Assign permissions to Azure AD App
Now once the app is registered, we need to provide permissions to this app to read device details along with password information. For providing necessary permissions, please follow below steps:
- Open the Azure AD app WindowsLAPS_app.
- Go to API Permissions under Manage.
- Then click on + Add a permission.
- Under Microsoft APIs > Click on Microsoft Graph
- Under Application permissions. Search for
Device.Read.Alland select this permission.
- Then perform another search for either
DeviceLocalCredential.ReadBasic.Alland select that one as well. I have selected
DeviceLocalCredential.Read.Allas i am interested in viewing password of the local admin user account along with other basic device information.
- Make sure you Grant admin consent for the assigned API permissions to this app. The status should show green with check mark once admin consent is granted.
- Open the App WindowsLAPS_app and then click on Authentication under Manage.
- Click on + Add a platform and then Add Mobile and desktop applications.
- Add Custom redirect URIs as http://localhost and select the checkbox for “https://login.microsoftonline.com/common/oauth2/nativeclient” and click on Configure.
- Under the Advanced settings. Enable the setting Allow public client flows and then click on Save button.
Retreive local admin password of the device from Azure AD
We would need to connect to Microsoft Graph first using the application registration we created in previous step. Let’s check the steps.
Install Microsoft Graph module
First steps is to Install Microsoft Graph module, if this module already exists on your device then you can skip this step:
Install Microsoft Graph Powershell module
Install-Module Microsoft.Graph -Scope AllUsers
Connect to Microsoft Graph
We would be using
Connect-MgGraph powershell cmdlet. However before we proceed to use this command. You would need to have
tenant ID and
client ID information ready. Replace your organization’s tenant ID and client ID information in the Connect-MgGraph command shown in the following section.
- To Find the Client ID information. you can click on the app and go to Overview tab and then copy Application (client) ID.
- To Find the Tenant ID information, login on Azure portal and search for Azure Active directory. On the Overview tab you can find Tenant ID information. Copy it and paste is in a notepad.
Connect-MgGraph -Environment Global -TenantId 97659d97-8dab-4122-80bd-caadf41b64d7 -ClientId baa1ea7d-9388-43d5-b28f-024ca2bde5fc
- You will get a pop-up to provide your sign-in information to connect and you may also get below screen to accept the permissions requested. Select the check box “Consent on behalf of your organization” and then click on Accept to proceed.
Connected to Microsoft Graph successfully.
Use Get-LapsAADPassword to retreive local admin user password
You can use
Get-LapsAADPassword cmdlet to retrieve local admin user account password. You would need to provide name of the device in the
DeviceIds parameter which you can find from Microsoft Intune admin center.
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW
Using Get-LapsAADPassword cmdlet without any parameters apart from DeviceIds will only provide basic information about the device. If you want to know the password of the managed local admin account then you would need to use two more parameters
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW -IncludePasswords -AsPlainText
How to reset LAPS managed local admin password
You can reset LAPS managed local admin password using powershell using
Reset-LapsPassword. You can login on the device and then connect to microsoft graph and use this cmdlet to reset managed local admin password.
In this blog post, we have seen how to manage Windows LAPS local admin account using Powershell. You can retrieve managed local admin user account password remotely by connecting to Microsoft Graph instead of logging on to Microsoft intune admin center or Microsoft Entra portal.