Local Administrator Password Solution (LAPS) with Entra ID
If you’ve been migrating your Windows endpoint environment to the cloud using Microsoft Intune and Entra ID, it may be time to evaluate Microsoft Entra Local Administrator Password Solution (LAPS).
You may already be using legacy LAPS with on-premises Active Directory, or you may be managing local administrator passwords through custom PowerShell scripts or other mechanisms. Entra ID–based LAPS provides a more secure, centralized, and native approach for managing local administrator credentials in modern cloud-managed environments.
In this post, we’ll walk through how to enable and configure LAPS using Microsoft Entra ID and Intune.
Enable Microsoft Entra Local Administrator Password Solution (LAPS)
The first step is enabling LAPS within Entra ID. This step does not deploy or enforce a LAPS policy on devices; instead, it allows devices to securely store their local administrator passwords in Entra ID. Navigate to the Microsoft Entra admin portal: https://entra.microsoft.com
From the left navigation menu, select Devices
Select Device settings
Scroll down and enable Microsoft Entra Local Administrator Password Solution (LAPS)
Once enabled, devices will be permitted to back up their local administrator passwords to Entra ID when a LAPS policy is applied.
Decide on an Administrator Account Strategy
Before creating your LAPS policy, you’ll need to decide which local administrator account you want LAPS to manage.
You have two options:
Use the built-in local Administrator account
Create and manage a custom local administrator account
The LAPS configuration profile can automatically create and manage a local administrator account, but this functionality requires Windows 11 24H2 or later.
If you still have devices running Windows 11 23H2 or earlier, I recommend disabling the built-in Administrator account and deploying a platform script through Intune to create and enable a dedicated local administrator account.
If all devices are running Windows 11 24H2 or later, you can skip this section and handle account creation directly within the LAPS policy.
Sample Script: Disable Built-In Administrator and Create a Custom Account
Below is the script I use to disable the built-in Administrator account (RID 500) and create a custom local administrator account. Update lines 1 and 3 with your preferred username.
I recommend avoiding obvious names such as Admin or Administrator, as less predictable account names are harder to identify from a security standpoint.
Create the LAPS Configuration Policy in Intune
With the local administrator account strategy finalized, you can now create the LAPS configuration policy. Navigate to the Intune admin portal: https://intune.microsoft.com
Select Endpoint Security
Select Account Protection
Select Create Policy
Platform: Windows
Profile: Local admin password solution (Windows LAPS)
Select Create
Recommended Policy Settings
| Policy Setting | Recommended Value | Purpose |
|---|---|---|
| Backup Directory | Backup the password to Microsoft Entra ID only | Determines where the local administrator password is stored. |
| Password Age Days | 30 | Controls how long the password remains valid before automatic rotation. |
| Administrator Account Name |
Determines the name of the local administrator account to manage.
Use this setting only when the account already exists or is created through another method,
such as a PowerShell script.
|
|
| Password Complexity | Uppercase + lowercase + numbers + special characters | Defines the required character complexity for generated passwords. |
| Password Length | Not configured (default is 14) | Specifies the length of the local administrator password. |
| Post Authentication Actions | Reset password |
Defines what happens after the local administrator account is successfully used.
The action is enforced after the delay configured in Post Authentication Reset Delay.
|
| Post Authentication Reset Delay | 24 (default) | Defines the grace period (in hours) before post‑authentication actions are applied. |
| Policy Setting | Recommended Value | Purpose |
|---|---|---|
| Automatic Account Management Enabled | Enabled | Allows Windows LAPS to automatically manage the specified local administrator account. |
| Automatic Account Management Target | Manage a new custom administrator account | Determines whether LAPS manages the built‑in Administrator account or a custom account. |
| Automatic Account Management Randomize Name | Not configured | Controls whether a randomized account name is used during each password rotation. |
| Automatic Account Management Enable Account | Enabled | Ensures the managed local administrator account is enabled. |
| Automatic Account Management Name or Prefix | Specifies the account name, or name prefix if randomization is enabled. |
Considerations
Deployment
As with any policy, it is important to perform thorough testing before deploying your LAPS configuration broadly. This should include assigning the policy to a set of test devices, using the managed local administrator account to access those devices, and validating that the password rotates as expected based on the configured policy settings. Proper testing helps ensure the policy behaves as intended and reduces the risk of unexpected access or administrative issues during deployment.
Security
Now that the Local Administrator Password Solution (LAPS) is being managed in the cloud, it is critical to implement strong access controls to reduce the risk of credential exposure. Access to local administrator passwords should be restricted to only those users who explicitly require it.
In addition, organizations should enforce complementary security controls such as Conditional Access policies, including multi‑factor authentication (MFA) and named locations, to further protect access to Microsoft cloud resources and prevent unauthorized retrieval of sensitive credentials.
