Laps Azure Ad Intune Management with Microsoft Entra

Laps Azure Ad Intune Management with Microsoft Entra is a game-changer for businesses looking to streamline their device management.

Microsoft Entra, formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management solution that integrates seamlessly with Intune. This integration allows for centralized management of users, groups, and devices.

With Microsoft Entra, you can manage access to corporate resources and applications, while also ensuring that all devices are compliant with company policies. This includes managing conditional access, multi-factor authentication, and more.

By leveraging the power of Microsoft Entra, you can simplify your device management and reduce the complexity of managing multiple devices.

To get started with Azure AD Intune, you'll need to have an Azure AD tenant set up, which can be done by signing up for a free trial or purchasing a subscription.

First, create an Intune account by going to the Azure portal and searching for Intune. Once you've created your account, you'll be able to access the Intune dashboard, where you can start managing your devices.

The Intune dashboard is where you'll find all the tools you need to manage your devices, including the ability to enroll devices, manage apps, and monitor device health.

To enroll a device, go to the Intune dashboard and click on "Devices" and then "Enroll device". You can then choose the type of device you want to enroll, such as a Windows or iOS device.

Before you can manage devices, you'll need to configure your Azure AD tenant to work with Intune, which involves setting up conditional access policies and device compliance policies.

Conditional access policies allow you to control access to company resources based on the device's security settings, while device compliance policies allow you to enforce certain security settings on devices that are enrolled in Intune.

To create a LAPS configuration profile, you'll need to click "Create Policy" in the Endpoint Protection Policy for Azure AD LAPS. This will create a new profile that you can customize with your settings.

Select Windows LAPS from the drop-down list and click "Create" to start defining your configuration settings. Use the following settings as a starting point: Administrator Account Name, Password Complexity, Password Length, Post Authentication Actions, and Post Authentication Reset Delay.

Here are some recommended settings to get you started:

• Administrator Account Name: Use the default admin SID, regardless of the account's name.

• Password Complexity: Require large letters, small letters, numbers, and special characters.

• Password Length: Set the password length to 14 characters.

• Post Authentication Actions: Reset the password and log off the managed account.

• Post Authentication Reset Delay: Set the delay to 24 hours.

You can customize these settings to fit your organization's needs, but these are a good starting point.

In the preview, Microsoft enabled several important capabilities that make configuration a breeze.

You can now turn on Windows LAPS using tenant- and client-side policies to back up the local administrator password to Azure AD.

Client-side policies can be configured via the Microsoft Intune portal for local administrator password management, allowing you to set account name, password age, length, complexity, and manual password reset.

Stored passwords can be recovered via the Microsoft Entra/Microsoft Intune portal or Microsoft Graph API/PSH.

You can also enumerate all LAPS-enabled devices via the Microsoft Entra portal or Microsoft Graph API/PSH.

Custom roles and administrative units can be created for Azure AD role-based access control (RBAC) policies to authorize password recovery.

Audit logs can be viewed via the Microsoft Entra portal or Microsoft Graph API/PSH to monitor password update and retrieval events.

Conditional Access policies can be configured on directory roles that have the authorization of password recovery.

To configure Windows LAPS, you'll need to create a configuration profile. This profile will contain all the settings for Azure AD LAPS to apply to your devices. Click Create Policy to create a new Endpoint Protection Policy for Azure AD LAPS, then select Windows LAPS from the drop-down list and click Create.

You'll need to define your Azure AD LAPS configuration settings. Use the recommended settings for Administrator Account Name, Password Complexity, Password Length, Post Authentication Actions, and Post Authentication Reset Delay. For example, use the default admin SID, large letters + small letters + numbers + special characters for Password Complexity, and 14 characters for Password Length.

To configure LAPS policy in Intune, create a new profile and select Windows 10 and later – Local admin password solution (Windows LAPS). This will allow you to manage local administrator passwords across all devices in your organization.

You can also configure LAPS policy through Microsoft Endpoint Manager Policy CSP. This feature allows administrators to configure LAPS settings on Windows devices using Endpoint Manager policies. This provides a centralized way to manage local administrator passwords.

Here's a summary of the recommended settings:

To configure Windows LAPS, you'll need to meet the licensing requirements.

To support Windows LAPS, you'll need a Microsoft Intune plan 1 subscription, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.

You'll also need an Active Directory subscription, specifically Azure Active Directory free, which is included when you subscribe to Intune.

The password requirements for Windows LAPS include password complexity, which should include large and small letters, numbers, and special characters.

The password length should be indicated, and you can configure post authentication actions to show the authentication action.

Additionally, you can configure the past authentication reset delay to establish whether the authentication reset delay is configured or not.

Here are the licensing requirements summarized:

To set up Windows LAPS in your tenant, you'll need to meet the requirements outlined by Microsoft. The licensing requirements include an Intune subscription, specifically Microsoft Intune plan 1, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.

To be more specific, you'll need to have an Intune subscription and an Active Directory subscription. Azure Active Directory free is the free version of Azure AD that's included when you subscribe to Intune, and with it, you can use all the features of LAPS.

Here are the specific licensing requirements for Windows LAPS:

I'm excited to share with you what you need to know about setting up and meeting the requirements for this project.

The first step is to ensure you have a reliable internet connection, as this will be the backbone of your setup.

In terms of hardware, you'll need a computer or laptop that meets the minimum system requirements, which include at least 8GB of RAM and a dual-core processor.

This system will allow you to run the necessary software applications smoothly.

Additionally, you'll need a compatible operating system, such as Windows 10 or macOS High Sierra, to ensure seamless integration with the software.

Make sure your computer or laptop is up to date with the latest security patches and software updates to prevent any potential issues.

It's also essential to have a stable and secure connection to the internet, as this will be used for communication and data transfer.

Regular backups of your data will also be crucial to prevent any data loss in case of a system failure or other unexpected events.

To check if Azure AD LAPS is successful, you can verify the policy deployment from the Intune portal.

You don't need to reboot your devices, as the policy will apply the next time it runs.

From the Endpoint security section, select Account protection, then your LAPS policy, and click View Report to see the policy report window.

To view and rotate the Azure AD LAPS password, you can quickly and easily do so through the Azure AD portal or the Intune portal.

You can also perform on-demand password rotation via the Microsoft Intune portal or directly locally on the client via the Reset-LapsPassword PowerShell cmdlet, which requires local admin rights.

To leverage the Intune device action framework, select a supported device and choose the option to Rotate local admin password, which will trigger a device action and update the rotation timestamp.

This capability is controlled by the Remote tasks > Rotate local admin password permission found through Intune tenant administration.

The Rotate local admin password option is available for devices that have Windows LAPS policies targeted to them and have the backup directory set to Active Directory or Azure AD.