Windows LAPS (Local Administrator Password Solution) is an easy to use solution provided by Microsoft to manage local administrator account on Windows devices. If you have your organization devices enrolled into Microsoft Intune and Azure AD then you can use my step by step guide on How To Implement Windows LAPS Using Intune.
You can backup managed local administrator account password to either Azure Active Directory or on-prem Active directory. The password would be stored with the device object.
For any troubleshooting scenario, you or any member of helpdesk may require the password of local administrator account. There are different ways to view the local admin account password.
You could use Microsoft Intune admin center or Microsoft Entra portal to view the password or you can use Powershell cmdlets to view the password of local admin user account for any device.
In this blog post, I will only show you how to retrieve managed local admin user account password using Powershell. If you want to know about different options to retrieve local admin password using GUI method then you can click on the following link and follow the given steps: how to retrieve laps managed local admin password and refer to “How to retrieve LAPS managed Local admin Password” section.
Create Azure AD app registration
First step is to create an application in Azure AD which we will use to access / read managed local admin account password stored in Azure AD. You will need to provide permissions to this Azure AD app so that this app can read the device object details.
You will need to provide below permissions to this app:
Device.Read.All
- Either
DeviceLocalCredential.Read.All
orDeviceLocalCredential.ReadBasic.All
.
If you want to retreive the password then you will need DeviceLocalCredential.Read.All
permission. Providing just DeviceLocalCredential.ReadBasic.All
permission to the app will not let you see the password.
Using DeviceLocalCredential.ReadBasic.All permission, you can only check like when the password was backed up to Azure AD and expiration time of the password etc.
- Login on Microsoft Azure portal
- Search for Azure Active Directory and find App registrations under Manage
- Click on + New registration
- Provide the Name of App as WindowsLAPS_app (you can provide any other app name as you like)
- Click on Register
Assign permissions to Azure AD App
Now once the app is registered, we need to provide permissions to this app to read device details along with password information. For providing necessary permissions, please follow below steps:
- Open the Azure AD app WindowsLAPS_app.
- Go to API Permissions under Manage.
- Then click on + Add a permission.
- Under Microsoft APIs > Click on Microsoft Graph
- Under Application permissions. Search for
Device.Read.All
and select this permission. - Then perform another search for either
DeviceLocalCredential.Read.All
orDeviceLocalCredential.ReadBasic.All
and select that one as well. I have selectedDeviceLocalCredential.Read.All
as i am interested in viewing password of the local admin user account along with other basic device information.
- Make sure you Grant admin consent for the assigned API permissions to this app. The status should show green with check mark once admin consent is granted.
- Open the App WindowsLAPS_app and then click on Authentication under Manage.
- Click on + Add a platform and then Add Mobile and desktop applications.
- Add Custom redirect URIs as http://localhost and select the checkbox for “https://login.microsoftonline.com/common/oauth2/nativeclient” and click on Configure.
- Under the Advanced settings. Enable the setting Allow public client flows and then click on Save button.
Retreive local admin password of the device from Azure AD
We would need to connect to Microsoft Graph first using the application registration we created in previous step. Let’s check the steps.
Install Microsoft Graph module
First steps is to Install Microsoft Graph module, if this module already exists on your device then you can skip this step:
Install Microsoft Graph Powershell module
Install-Module Microsoft.Graph -Scope AllUsers
Connect to Microsoft Graph
We would be using Connect-MgGraph
powershell cmdlet. However before we proceed to use this command. You would need to have tenant ID
and client ID
information ready. Replace your organization’s tenant ID and client ID information in the Connect-MgGraph command shown in the following section.
- To Find the Client ID information. you can click on the app and go to Overview tab and then copy Application (client) ID.
- To Find the Tenant ID information, login on Azure portal and search for Azure Active directory. On the Overview tab you can find Tenant ID information. Copy it and paste is in a notepad.
Connect-MgGraph
Connect-MgGraph -Environment Global -TenantId 97659d97-8dab-4122-80bd-caadf41b64d7 -ClientId baa1ea7d-9388-43d5-b28f-024ca2bde5fc
- You will get a pop-up to provide your sign-in information to connect and you may also get below screen to accept the permissions requested. Select the check box “Consent on behalf of your organization” and then click on Accept to proceed.
Connected to Microsoft Graph successfully.
Use Get-LapsAADPassword to retreive local admin user password
You can use Get-LapsAADPassword
cmdlet to retrieve local admin user account password. You would need to provide name of the device in the DeviceIds
parameter which you can find from Microsoft Intune admin center.
Get-LapsAADPassword
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW
Using Get-LapsAADPassword cmdlet without any parameters apart from DeviceIds will only provide basic information about the device. If you want to know the password of the managed local admin account then you would need to use two more parameters -IncludePasswords
and -AsPlainText
.
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW -IncludePasswords -AsPlainText
How to reset LAPS managed local admin password
You can reset LAPS managed local admin password using powershell using Reset-LapsPassword
. You can login on the device and then connect to microsoft graph and use this cmdlet to reset managed local admin password.
Conclusion
In this blog post, we have seen how to manage Windows LAPS local admin account using Powershell. You can retrieve managed local admin user account password remotely by connecting to Microsoft Graph instead of logging on to Microsoft intune admin center or Microsoft Entra portal.