Introduction

Managing local administrator passwords on Windows endpoints has long been a pain point for IT and security teams. Before a centralised solution existed, many organisations set the same local admin password on every device — a practice that creates enormous lateral movement risk if any single credential is compromised.

Windows LAPS (Local Administrator Password Solution) solves this by automatically rotating and storing unique, per-device local administrator passwords. The cloud-backed variant, Windows Cloud LAPS, stores those passwords in Microsoft Entra ID instead of on-premises Active Directory — making it ideal for modern, cloud-first or hybrid environments.

Licensing & Platform Requirements

• Windows Server 2019 or later
• Microsoft Entra ID P1 or P2 (included in Microsoft 365 Business Premium, E3, E5)
• Devices must be Entra-joined or Hybrid Entra-joined

Required Entra ID Settings

Before deploying policy, you must enable LAPS at the tenant level in Entra ID:

1. Sign in to the Microsoft Entra admin centre (entra.microsoft.com).
2. Navigate to: Identity → Devices → Device settings.
3. Locate the setting “Enable Microsoft Entra Local Administrator Password Solution (LAPS)” and set it to Yes.
4. Click Save.

Hybrid Join the Device

You need to enable Hybrid Join in order to upload the LAPS credentials to Entra ID.

Go to your Entra Connect server and sync the server(s) on which you want to deploy LAPS.

Then run:

dsregcmd /join

Check with:

dsregcmd /status

Confirm that the server is onboarded.

Group Policy

Now that the server is hybrid joined, we can create a Group Policy.

1.You can use these settings: –> https://rockit1.nl/windows-laps/

2. Just make sure you use: Backup Directory → Microsoft Entra ID

3. Run: gpupdate /force on the server.

4. To view Windows LAPS events, go to: Applications and Services Logs > Microsoft > Windows > LAPS > Operational in Event Viewer.

5. Then go to Entra ID and check if your password is synced.

Now that we have hybrid joined the machine, you do not want this machine to be visible to everyone. For example, you do not want the Helpdesk to see the local administrator password of a Tier 0 machine.

The roles below can view the passwords. Cloud Device Administrator and Intune Administrator can also view metadata such as:

• Device name — which device the credential belongs to
• Account name — the local admin account the password is for
• Last password rotation date — when the password was last changed
• Password expiry date — when it is scheduled to rotate next
• Backup timestamp — when it was last backed up to Entra ID

Role	See Metadata	See Password	RBAC
Cloud Device Administrator	✅ Yes	✅ Yes	Administrative Units
Intune Administrator	✅ Yes	✅ Yes	Intune RBAC
Helpdesk Administrator	❌ No	✅ Yes	Administrative Units
Security Administrator	❌ No	✅ Yes	Microsoft Defender XDR Unified RBAC
Security Reader	❌ No	✅ Yes	Microsoft Defender XDR Unified RBAC

When designing a least-privilege model, you should create an Administrative Unit. If you have onboarded the device with MDE and enabled the MDE management experience, you also need to configure Microsoft Defender XDR Unified RBAC and Intune RBAC roles. For this blog post, I will only focus on the Administrative Unit.

Identity and Access Management

Below we create an Privileged Access Workflow based on least privilege.

Custom Entra Role

The Entra ID built-in roles that have password/read (like Helpdesk Administrator) can’t be scoped to an AU for LAPS specifically so we need to create a custom role for this.

1. Go to: http://entra.microsoft.com –> Roles & Admin
2. Create custom role

3. Add deviceLocalCredentials/password/read

Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password

4. Assign to a user tier0.infra.administrator as Eligible.

Administrative Unit

1. Go to: http://entra.microsoft.com → Roles & admins → Admin Units

2. Create 2 Administrative Units: For example tier0 and tier1

3. Toggle “Secure this Administrative Unit”

• AU.Tier0
• AU.Tier1

3. Add the following roles as Eligible:

• Tier0.Entra.Laps

4. Add the hybrid joined device.

5. Add the users who are allowed to see the password.

Monitoring & Auditing

All LAPS password retrievals are logged in the Entra ID audit log under the activity name “Read device local credentials password.” You should configure alerts for:

• High-frequency password retrievals from a single administrator account.
• Retrievals from devices in sensitive segments (e.g., domain controllers, PAWs).
• Bulk retrievals suggesting credential harvesting.

See below the query you can use to achieve this:

The filter

| where TotalRetrievals > 5 or UniqueDevices > 3

This is the gate. A row only passes through if either condition is true so it fires if one person pulled 6 passwords in 30 minutes, or if passwords were pulled from 4 different devices even if the total count looks low. The or means either condition alone is enough.

The alert classification

Works like an if/else chain it evaluates top to bottom and stops at the first match. The order is intentional: the most severe scenario wins the label.

| extend AlertReason = case(
    UniqueDevices > 10,  "Potential credential harvesting - high device count",
    UniqueActors > 3,    "Multiple actors retrieving passwords simultaneously",
    TotalRetrievals > 5, "Unusual retrieval volume",
    UniqueDevices > 3,   "Elevated unique device count",
    "Threshold exceeded"
)

Use this query in sentinel but play a bit with the total retrieval time and the unique devices.

AuditLogs
| where TimeGenerated > ago(30m)
| where OperationName == "Read device local credentials password"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend DeviceName = tostring(TargetResources[0].displayName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| summarize
    TotalRetrievals = count(),
    UniqueActors = dcount(Actor),
    UniqueDevices = dcount(DeviceName),
    ActorList = make_set(Actor),
    DeviceList = make_set(DeviceName)
    by bin(TimeGenerated, 30m)
| where TotalRetrievals > 5 
    or UniqueDevices > 3
| extend AlertReason = case(
    UniqueDevices > 10, "Potential credential harvesting - high device count",
    UniqueActors > 3,   "Multiple actors retrieving passwords simultaneously",
    TotalRetrievals > 5,"Unusual retrieval volume",
    "Threshold exceeded"
)
| project TimeGenerated, TotalR
etrievals, UniqueActors, UniqueDevices, ActorList, DeviceList, AlertReason
| order by TotalRetrievals desc

Conclusion

Windows Cloud LAPS is one of the highest-value, lowest-friction security controls you can deploy in a modern Windows environment. It eliminates shared local admin passwords, provides auditable credential access, and integrates natively with your existing Intune and Entra ID infrastructure.