Windows LAPS (Local Administrator Password Solution) manages local administrator accounts on Windows devices. Follow a comprehensive step-by-step guide for implementing LAPS with Intune: A Comprehensive Guide.
You can back up the password for the managed local administrator account to Entra ID or an on-premises Active Directory. The password will be stored with the device object.
There are three methods for retrieving the password of a managed local administrator account.
- Using Intune admin center
- Using Entra admin center
- Using Powershell
In this blog post, I’ll demonstrate how to retrieve the managed local admin user account password using PowerShell. For more retrieval methods, please refer to the blog post Implement LAPS with Intune: A Comprehensive Guide.
Table of Contents
Step 1 – Create an App registration in Entra admin center
The initial step involves creating an application in Entra ID, which we will use to access and read the managed local admin account password stored in Entra ID. You must grant this Entra ID app permission to read the device object details.
You will need to provide below permissions to this app:
- Device.Read.All
- Either DeviceLocalCredential.Read.All or DeviceLocalCredential.ReadBasic.All.
To retrieve the password, you’ll need DeviceLocalCredential.Read.All permission to the app. Merely granting the DeviceLocalCredential.ReadBasic.All permission will not allow you to view the password.
With the DeviceLocalCredential.ReadBasic.All permission, you can only check details such as when the password was backed up to Entra ID and its expiration time.
Let’s check the steps to create an app registration for Entra ID.
- Sign in to the Entra admin center.
- Navigate to Applications > App registrations.
- Click on + New registration.
- Provide the Name of the App as WindowsLAPS_app (you can provide any other app name as you like)
- Click on Register.
Step 2 – Assign permissions to the Entra App
After registering the app, the next step is to grant it the required permissions to read device details, including password information. To provide these permissions, please follow the steps below:
- Open the Entra ID app WindowsLAPS_app.
- Go to API Permissions under Manage.
- Then click on + Add a permission.
- Under Microsoft APIs > Click on Microsoft Graph.
- Under Application permissions. Search for
Device.Read.Alland select this permission.
- Next, perform another search for either DeviceLocalCredential.Read.All and select this permission.
- Make sure to grant admin consent for the assigned API permissions to this app. The status should be displayed in green with a checkmark once admin consent has been granted.
- Open the App WindowsLAPS_app and then click on Authentication under Manage.
- Click on + Add a platform and then Add Mobile and Desktop applications.
- Add Custom Redirect URIs as http://localhost. Select the checkbox for https://login.microsoftonline.com/common/oauth2/nativeclient, and click Configure.
- Under the Advanced settings. Enable the setting Allow public client flows and click the Save button.
Step 3 – Retrieve the managed Local admin password
First, we must connect to Microsoft Graph using the application registration we created in the previous step. Let’s go through the necessary steps.
1. Install the Microsoft Graph Powershell module
Install-Module Microsoft.Graph -Scope AllUsers
2. Connect to Microsoft Graph
We will utilize the Connect-MgGraph PowerShell cmdlet for this purpose. Before proceeding with the command, ensure you have your organization’s tenant ID and client ID information. Replace these details in the Connect-MgGraph command provided in the following section.
- To find the Client ID information, click on the App, go to the Overview tab, and copy the Application (client) ID.
- To find the Tenant ID information, log in to the Entra admin center > Identity > Overview. Copy it and paste it into a notepad.
Connect-MgGraph
Connect-MgGraph -Environment Global -TenantId 97659d97-8dab-4122-80bd-caadf41b64d7 -ClientId baa1ea7d-9388-43d5-b28f-024ca2bde5fc
- You will receive a pop-up asking you to provide your sign-in information to connect. You may also encounter the screen asking you to accept the requested permissions. Select the checkbox Consent on behalf of your organization, then click Accept to proceed.
- Connected to Microsoft Graph successfully.
Step 4 – Use Get-LapsAADPassword
To retrieve the local admin user account password, use the Get-LapsAADPassword cmdlet. In the DeviceIds parameter, provide the device name, which you can find in the Intune admin center.
Get-LapsAADPassword
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW
Using the Get-LapsAADPassword cmdlet without any parameters apart from DeviceIds will only provide basic information about the device. If you want to retrieve the managed local admin account password, you must include two more parameters: -IncludePasswords and -AsPlainText.
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW -IncludePasswords -AsPlainText
How do you reset the managed local admin password?
To reset a LAPS-managed local admin password using PowerShell, you can log in to the device, connect to Microsoft Graph, and use the Reset-LapsPassword cmdlet.
Conclusion
In this blog post, we have explored how to manage the Windows LAPS local admin account using PowerShell. You can remotely retrieve the managed local admin user account password by connecting to Microsoft Graph, eliminating the need to log in to the Microsoft Intune admin center or Microsoft Entra portal.
