![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,048 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Vinod Survase Thank you for reaching out to us, As I understand you are looking for use cases when to use Windows LAP for Azure AD joined devices.
with New LAPS (Windows LAPS)
- Built into Windows
- Support for Azure AD Join, Hybrid Azure AD Join and on-premise (Domain join) scenario, for Cloud and hybrid, passwords stored (encrypted) on device object in Azure AD.
Windows LAPS to regularly rotate and managed local administration account passwords and get these benefits:
Protection against pass the hash and lateral traversal attacks.
Improved security for remote help desk scenarios
Ability to sign in to and recover devices that are otherwise inaccessible..
A fine grained security model (access control lists and optional password encryption for securing passwords that are stored in windows server active directory)
Support for the Azure role-based access control model for securing passwords that are stored in Azure Active Directory.
Azure AD support for LAPS includes the following capabilities - https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-manage-local-admin-passwords#:~:text=Azure%20AD%20support%20for%20LAPS%20includes%20the%20following%20capabilities%3A
Key Windows LAPS scenarios
You can use Windows LAPS for several primary scenarios:
Back up local administrator account passwords to Azure Active Directory (for Azure Active Directory-joined devices)
Back up local administrator account passwords to Windows Server Active Directory (for Windows Server Active Directory-joined clients and servers)
Back up DSRM account passwords to Windows Server Active Directory (for Windows Server Active Directory domain controllers)
Back up local administrator account passwords to Windows Server Active Directory by using legacy Microsoft LAPS
In each scenario, you can apply different policy settings.
Understand device join state restrictions
Whether a device is joined to Azure Active Directory or Windows Server Active Directory determines how you can use Windows LAPS.
Devices that are joined only to Azure Active Directory can back up passwords only to Azure Active Directory.
Devices that are joined only to Windows Server Active Directory can back up passwords only to Windows Server Active Directory.
Devices that are hybrid-joined (joined to both Azure Active Directory and Windows Server Active Directory) can back up their passwords either to Azure Active Directory or to Windows Server Active Directory. You can't back up passwords to both Azure Active Directory and Windows Server Active Directory.
Windows LAPS doesn't support Azure Active Directory workplace-joined clients.
Let me if you have any further questions, feel free to post back.