LAPS with AZURE AD (AAD)

Ivan Marrese 0 Reputation points
2023-07-28T11:52:45.3133333+00:00

I want to implement LAPS on Azure AD for my Azure AD joined PCs. But.... what if one of my computers doesn't connect to the internet for a few days and in the meantime the local admin password has expired? Logic tells me that the penultimate password should be valid (because it's in the local cache). But where do I get it? If I somehow manage to log into the Azure portal to recover that PC's password, I will only find the last password. And not the penultimate one or (worse still) the ones before that....

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,718 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Gérald Döserich 760 Reputation points
    2023-07-28T20:40:44.7466667+00:00

    See https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts for the full schematics.

    LAPS will only rotate the password locally if it can successfully upload the new password. If there is no connectivity the password will not be rotated. Therefore the last set password (and therefore the currently shown) password in Azure AD will still be valid.

    0 comments No comments