Azure Laps with Windows AD and Intune

Azure Laps with Windows AD and Intune is a powerful combination for securing devices.

Azure Laps allows you to manage and secure devices that are not domain-joined, such as personal laptops or tablets.

This feature integrates with Windows AD and Intune to provide a seamless experience.

With Azure Laps, you can enforce policies, configure settings, and deploy software to non-domain-joined devices.

Azure Laps also enables you to monitor and report on device compliance, ensuring that your organization's security policies are being followed.

See what others are reading: Microsoft Azure from Zero to Hero - the Complete Guide

To configure Azure LAPS, you'll need to enable Windows LAPS for Azure AD in the Azure AD management portal. This involves setting the Enable Azure AD Local Administrator Password Solution (LAPS) to Yes and saving the changes.

To create a LAPS configuration profile, click Create Policy and select Windows LAPS from the drop-down list. You'll then define your Azure AD LAPS configuration settings, such as the Administrator Account Name, Password Complexity, and Post Authentication Actions.

Take a look at this: Windows Azure Service Management Api

Some settings have default values, which are:

You can also configure settings such as Backup Directory and Password Complexity to suit your organization's needs.

Windows AD Configuration is a crucial step in setting up Azure LAPS. You'll need to configure the Backup Directory setting to back up the Local Administrator password to Azure Active Directory or Active Directory.

To manage the Local Administrator account, you can specify the Administrator Account Name, but be aware that if you do so, the account must be created via other means. The password complexity and length can also be configured to meet your organization's needs.

The Post Authentication Actions setting allows you to specify what LAPS should do after a successful authentication, such as logging off the managed account and resetting the password. The Post Authentication Reset Delay setting determines how long it will wait before performing the specified action.

Here are the key settings to consider when configuring Windows AD:

After enabling LAPS for your tenant, you're ready to create a configuration profile that will contain all the settings for Azure AD LAPS to apply to your devices.

Click Create Policy to create a new Endpoint Protection Policy for Azure AD LAPS.

In the pop-out window, select Windows LAPS from the drop-down list and click Create.

You'll need to define your Azure AD LAPS configuration settings. For password complexity, you'll want to use a combination of large letters, small letters, numbers, and special characters.

The password length should be at least 14 characters.

For post-authentication actions, you can reset the password and log off the managed account.

A 24-hour delay is recommended for the post-authentication reset delay.

Here are the recommended settings in a quick reference format:

Azure LAPS with Intune is a game-changer for securing your devices.

It's backed by the new Windows LAPS capabilities built directly into the Windows operating system, making it easy to deploy without additional client software.

Readers also liked: Windows Azure Platform

However, it's only supported in the latest operating systems, so make sure you're current with Windows feature updates.

The requirements are all or nothing, so if you leave a hole the hacker will find it.

Fortunately, deployment is simplified using Microsoft Intune, and it's the recommended choice due to its simplicity and good reporting features.

You can also deploy it via group policies, manually through registry keys, or using Windows CSP settings in Intune, but Intune will always take precedence.

To view the LAPS password from the Intune Portal, select your device and go to Local Admin password > Show local admin password.

To rotate the password before the set expiration period, select the device and click Rotate local admin password.

LAPS will also block external attempts to change the password, including when you use the 'reset password' function in Azure for virtual machines.

This is a great security feature, and you can see the log in the Windows event log with Event ID: 10031.

The Azure AD LAPS scenario is a powerful tool for securing your devices, and with the right deployment method, you can reap the security benefits.

Check this out: Laps Azure Ad Intune

Azure Laps Security is a top priority for any organization considering cloud migration. Azure Laps is a security feature that provides real-time threat intelligence and analytics to detect and prevent attacks.

It uses machine learning algorithms to analyze network traffic and identify potential threats. Azure Laps can detect and block malicious traffic in real-time, preventing attacks from reaching your applications.

Azure Laps integrates with other Azure security services to provide comprehensive security coverage. This includes integration with Azure Sentinel for security information and event management (SIEM) and Azure Active Directory (Azure AD) for identity and access management.

Explore further: Connections - Oracle Fusion Cloud Applications

Azure LAPS uses Azure Active Directory (Azure AD) to store passwords in Microsoft Azure on Azure device objects. This allows for secure and centralized password management.

To create an Azure AD registered app to retrieve Windows LAPS passwords, you need to create a new application called IntuneLAPSadmin using PowerShell. This application requires the Device.Read.All permission and one of the following two permissions: DeviceLocalCredential.ReadBasic.All or DeviceLocalCredential.Read.All.

Broaden your view: Azure Auth Json Website Azure Ad Authentication

The DeviceLocalCredential.ReadBasic.All permission grants permissions for reading non-sensitive metadata about persisted Windows LAPS passwords, including the time the password was backed up to Azure and the expected expiration time of a password. This is appropriate for reporting and compliance applications.

The DeviceLocalCredential.Read.All permission grants full permissions for reading everything about persisted Windows LAPS passwords, including the clear-text passwords themselves. This permissions level is sensitive and should be used carefully.

Here are the permission IDs for reference:

To enable Azure AD LAPS, you can do so from either the Microsoft Entra admin center or Azure Active Directory Portal.

You can enable Azure AD Local Administrator Password Solution (LAPS) by following these steps:

To support the implementation of Azure AD LAPS, you must first enable Windows LAPS for Azure AD in the Azure AD management portal.

To do this, login to https://aad.portal.azure.com/, then select Azure Active Directory, and then Devices. Set Enable Azure AD Local Administrator Password Solution (LAPS) to Yes, then click Save.

This will set the IsEnabled field for the localadminpassword setting to True in Microsoft Graph.