The Microsoft 365 Blog

Microsoft 365: Local Admin Password Solution

Dec 06, 2024
Bearded man pointing to text "Boost Microsoft 365 security with LAPS in Intune

The problem that we are trying to solve is that of user access, and Microsoft 365 has the perfect solution. If you are more fo a visual learner you can watch my YouTube video on the topic right here!

Giving people Admin power over their computer is a pretty basic cybersecurity mistake, and one that could cost you dear. But fortunately, if you are a Microsoft 365 user, the LAPS feature could help you out. Let’s look at what Admin access means.

 

What is Admin Access?

When you log onto your computer, if your username and password are part of the admin group, you will be able to do anything that you want on your computer. With full Admin access, you can install software and change settings as you like. You have the keys to the whole house.

While that might seem pretty convenient, the problem is that if you get hacked, the hacker or the malicious software package also has that access to your computer, and that can mean maximum damage.

So, how is admin access usually handled. Here in the UK, an IT department worth its salt will make sure that everyone in the business is part of the standard access group, and doesn’t have admin privileges. This means that they can’t make alterations to their computer and can’t add software without admin intervention.

This means that, in order to make changes to a computer, they will need an admin password entered. Admin effectively have a different level of access to all computers in the system. But if there is just one admin password for all of those computers, this also means that a hacker or rogue software can gain leverage over the entire network. That’s really not good.

 

How to Deal with Access.

If I could design a solution to this, I would have a different master password for each computer. Then, if one gets hacked, all of the other are safe.It sounds like something out of Oceans 11 or something, but also sounds like a lot to manage. 

Luckily, there is a solution built into Microsoft 365 called Local Administrator Password Solution. That’s kinda long, so let’s just call it LAPS for short. This is such a great solution, so let me show you how to set up LAPS for your business. Okay, let’s go.

Setting Up.

Oaky, first, I need to log into Microsoft 365. From there, I’m going to head to the Portal.azure.com page and log in there. Once I have logged in, I then want to head for the Microsoft Entra ID. I’ve circled it on the screen shot


I’m then doing down to ‘Device Settings’ (circled red).



On this page, there are some administrators setting that I’m going to come back to, but for now, I’m just going to enable LAPS but toggling the button to ‘yes’ (circled red).

 


And click ‘Save’.
Now I’m going to go back to my Admin Center. From there, we are going to head to the Endpoint Manager (circled in red).



That will open the Endpoint Manager.Then go to Endpoint Security

 


And then onto Account Protection. This will open up a new screen. At the top an action called ‘Create Policy’. We are going to use this command to create a new policy.

 


Am going to create a policy for LAPS.

I need to select a platform and, in this case, it will be ‘Windows 10 or Later’. I need to choose ‘Local Admin Password Solution’ from the second drop-down box. Click ‘Next’. I need to create a name for my new policy, and I’m just going to call it “LAPS policy”.

Click ‘Next’ and there are some options, and we do want to back up these passwords. We need to configure this from the drop-down box, and I’m going to selects back-up to Azure AD. You can choose to back it up to the active directory, but I prefer Azure AD.

We have the option to select Password Age Days, which will default to 30 days if not selected. If you select this, you can choose a time period from 7 days up to 30 days or more.

Next, we can name our account name. Rather than just ‘Administrator’ you can choose something like ‘IT Admin’ or something; my advice is to keep it simple. I’m going to leave it as not configured so that it defaults.

 

We now need to choose password complexity, and that brings down a drop box:


We have lots of options here, including large letters (capitals), large letters and small letters, large letters, small letters and numbers, and finally large letters, small letters, numbers, and special characters. How complex do you want the password? Well, quite complex to prevent anyone breaking it. If you choose ‘Not Configured’ it will default to the last option of uppercase, lowercase, numbers and characters.

Password length will default to 14 characters if you leave it as ‘Not Configured’. It can be set to anything from eight characters (not recommended0 up to 64 characters. I’ll leave it as ‘Not Configured’ and stick with 14 characters, which is pretty complex.

I’ll also leave the ‘Post Authentication Actions’ and ‘Post Authentication Reset Delay’ as ‘Not Configured too. Click ‘Next’.

For ‘Assignments’, I will assign all devices, click ‘Next’ and create the policy. The policy is now created.

Now I can test it. I can go over to the ‘Devices’ menu at the side, and select a device

 

As you can see, I have just one device – autopilot 032 – who is a fictious person called Fred Finance.

Now, this policy can take a little bit of time to filter down, but allow for that and try it after a short time.

(Pause to have a cup of coffee or tea if you like).

 Okay, if I now go to Endpoint Security and Account Protection, I can see my new policy.

 

Down on the left-hand side of the screen, you can see that I have a local admin password. I can click on ‘Show’ and see my password, and it tells me that the last password rotation was just a few minutes ago, and the next one will be in 30 days.

I now don’t need to do anything. However, if I think that my password may have been compromised, I can manually rotate the password. Click on the device, navigate to the three dots on the right-hand side, and activate the menu.


At this point, you can manually update the password.

At the start of this video, I said that there were some Admin tasks that I could carry out, so let’s do that. So, let’s go back to settings.

 

Looking at the Local Administrator Settings, the Global Administrator Role is set to ‘Yes’, which I think is a little too open, so I’m going to toggle the switch across to ‘No’, and click ‘Save’.

This now means that users in the global admin role don’t have local admin over each device. This means that you can manage all of your local admin with laptops.

So, that’s LAPS for you. I hope that this has been informative and you have got plenty out of it. As you can see, setting up LAPS is really easy, so go out and set it up for your business today.