How to export device local admin password using Microsoft graph Api using PowerShell

Benard Mwanza 1,001 Reputation points
2023-09-20T11:52:19.74+00:00

Am having a problem exporting local admin password for devices configured with LAPS using Microsoft graph api. The conventional get-lapsadpassword cmdlet works fine but graph api doesn't. I suspect the problem is in the query endpoint because when i run

$credentialsResponse = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceLocalCredentials"

it retrieves well but the problem with list device credentials does not return the credential as per Microsoft documentation.

I have this permission assigned to my app registration

DeviceLocalCredential.ReadBasic.All, DeviceLocalCredential.Read.All

This is my code

   $accessToken = "token here"
   $deviceId = "defe99b4-72f6-44c4-82ae-8dd4ff700b46"
   
    #request to the deviceLocalCredentials endpoint for the selected device
    $credentialsResponse = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceLocalCredentials/$deviceId?$select=credentials" -Headers @{
        "Authorization" = "Bearer $accessToken"
        "ContentType" = "application/json"
        "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
      
}
    # credentials response
    $credentialsResponse
    $credentials = $credentialsResponse.value
    $credentials

when i run that code i get the error below and a partial response. What could be wrong?

psscript

I expect atleast to see the entire json response as per Microsoft documentation here

GET https://graph.microsoft.com/beta/deviceLocalCredentials/b465e4e8-e4e8-b465-e8e4-65b4e8e465b4?$select=credentials
User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"
ocp-client-name: "My Friendly Client"
ocp-client-version: "1.2"
HTTP/1.1 200 OK
Content-type: application/json

{
  "value": {
    "@odata.type": "#microsoft.graph.deviceLocalCredentialInfo",
    "id": "b465e4e8-e4e8-b465-e8e4-65b4e8e465b4",
    "deviceName": "LAPS_TEST",
    "lastBackupDateTime": "2023-04-21T13:45:30.0000000Z",
    "refreshDateTime": "2020-05-20T13:45:30.0000000Z",
    "credentials": [
      {
        "accountName": "ContosoLocalAdminAccount",
        "accountSid": "S-1-5-21-2318549658-1590267884-3984890135-1965",
        "backupDateTime": "2023-04-21T13:45:30.0000000Z",
        "passwordBase64": "UQBRAEAAZAA4AGYAOABnAFkA"
      },
      {
        "accountName": "ContosoLocalAdminAccount",
        "accountSid": "S-1-5-21-2318549658-1590267884-3984890135-1965",
        "backupDateTime": "2023-03-22T13:45:30.0000000Z",
        "passwordBase64": "KgBEADkAawBsAGsAZgAjADQA"
      },
      {
        "accountName": "Administrator",
        "accountSid": "S-1-5-21-2318549658-1590267884-3984890135-500",
        "backupDateTime": "2023-02-23T13:45:30.0000000Z",
        "passwordBase64": "TABwAGQAOQAqACgAKQAzADQA"
      }
    ]
  }
}
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,804 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,504 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,447 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,310 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Chandan Bilvaraj 0 Reputation points
    2023-09-20T17:59:15.3033333+00:00

    To export the device local admin password using Microsoft Graph API using PowerShell, you can use the following steps:

    1. Install the Microsoft Graph PowerShell SDK.
    2. Connect to Microsoft Graph using the Connect-MgGraph cmdlet.
    3. Get the device local credentials using the following query:
    https://graph.microsoft.com/beta/deviceLocalCredentials/[deviceId]
    

    Replace [deviceId] with the ID of the device whose local admin password you want to export.

    1. Save the password to a file or variable.

    The following PowerShell script demonstrates how to export the device local admin password for a device with the ID 12345678-90ab-cdef-0123-456789abcdef:

    Install the Microsoft Graph PowerShell SDK

    Install-Module Microsoft.Graph

    Connect to Microsoft Graph

    Connect-MgGraph -ClientId <your_client_id> -TenantId <your_tenant_id>

    Get the device local credentials

    $credentialsResponse = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceLocalCredentials/12345678-90ab-cdef-0123-456789abcdef"

    Save the password to a file

    $password = $credentialsResponse.password

    Write-Host $password >> "C:\Temp\LocalAdminPassword.txt"

    Note: The list device credentials endpoint does not return the password in clear text. To get the password in clear text, you need to use the /beta version of the Microsoft Graph API and the deviceLocalCredentials/[deviceId] query endpoint.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.