LAPS with AZURE AD (AAD)

Ivan Marrese 0 Reputation points
2023-07-28T11:52:45.3133333+00:00

I want to implement LAPS on Azure AD for my Azure AD joined PCs. But.... what if one of my computers doesn't connect to the internet for a few days and in the meantime the local admin password has expired? Logic tells me that the penultimate password should be valid (because it's in the local cache). But where do I get it? If I somehow manage to log into the Azure portal to recover that PC's password, I will only find the last password. And not the penultimate one or (worse still) the ones before that....

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,171 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Gérald Döserich 765 Reputation points
    2023-07-28T20:40:44.7466667+00:00

    See https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts for the full schematics.

    LAPS will only rotate the password locally if it can successfully upload the new password. If there is no connectivity the password will not be rotated. Therefore the last set password (and therefore the currently shown) password in Azure AD will still be valid.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.