I have confiqure LAPS in intune its working but i need that every team Manager have acces of his teams Local Password from intune Rather than each user contact IT team they get their Local Password from Their Manager so how we can do that any one have id

Muhammad Zeeshan 100 Reputation points
2024-02-07T07:55:25.5566667+00:00

I have confiqure LAPS in intune its working but i need that every team Manager have acces of his teams Local Password from intune Rather than each user contact IT team they get their Local Password from Their Manager so how we can do that any one have idea about it I have also created a custom role add user for specific group but not working User's image

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,973 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 48,001 Reputation points Microsoft Vendor
    2024-02-07T08:35:42.39+00:00

    @Muhammad Zeeshan, Thanks for posting in Q&A. To allow team manager to access the Local Password of their teams' devices. You can create scope tags for different teams. Assign the specific scope tag of their team to the devices in their team.

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control

    Assign microsoft.directory/deviceLocalCredentials/password/read permission to the team manager.

    Then create a custom role with permission Managed devices: Read. and Organization: Read permission and assign it to the team manager with the specific scope tag to let each team manager can see the local password on the devices in their team that have the same scope tags.

    https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview#role-based-access-controls-for-laps

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. JatinMakhija 971 Reputation points
    2024-02-07T12:55:47.9+00:00

    The following built-in roles Microsoft Entra roles have permission to recover LAPS passwords: Global Admin, Cloud Device Admin, and Intune Service Admin. You would need to create a Custom PIM role, I have created this for my organization and its currently in use and working fine.

    Create Custom Roles with below permissions:

    To view the local administrator password for a Windows device joined to Microsoft Entra ID, you must be granted the microsoft.directory/deviceLocalCredentials/password/read action.

    To view the local administrator password metadata for a Windows device joined to Microsoft Entra ID, you must be granted the microsoft.directory/deviceLocalCredentials/standard/read action.

    For more information on Password retrieval, please refer to below guide:
    https://cloudinfra.net/implement-laps-with-intune-a-comprehensive-guide/#how-to-retreive-laps-managed-local-admin-password

    ---If the response is helpful, please click "Accept Answer" and upvote it.---


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.