Quickstart: Configure LAPS for Azure Arc with a test machine

In this guide, you will use Azure Policy to configure a machine with LAPS for Azure Arc settings. Note that applying LAPS settings changes local administrator password management behavior, including password backup and rotation. This guide has you create a disposable resource group with a disposable VM to limit the scope of application. Specifically, you will:

1. Create an empty resource group
2. Import a policy definition and assign it to the resource group
3. Create a Windows Server VM in the resource group and observe the results

Preview considerations

1. This LAPS for Azure Arc implementation is a preview, and should be used in test environments.
2. The policy definition is not built-in to Azure at this time. It must be imported.
3. For feedback channels, see the Related resources section at the end of this article.

Prerequisites

Before attempting the steps in this article, ensure that you already have:

1. An Azure account where you have access to create a resource group, policy assignments, and a virtual machine.
   1. If you don't have an Azure account, you can create a free trial.
2. Your preferred environment for interacting with Azure, such as:
   1. [Recommended] Use Azure Cloud Shell (at https://shell.azure.com or your local equivalent)
   2. OR Use your own machine and shell environment with Azure CLI installed and signed in
   3. OR Use the Azure portal (at https://portal.azure.com or your local equivalent)

Check that you are signed in to your test environment

Azure portal

1. Use the account information in the portal to see your current context.

Azure CLI

1. You can use az account show to see your current context. To sign in or change contexts, use az account login.
2. The policy definition will be imported to the subscription which is shown as id in response to az account show

Step 1: Create a resource group

Tip

The use of "East US" (eastus) as an example location throughout this article is arbitrary. You can choose any available Azure location.

Azure portal

1. From the Azure portal, browse to Resource groups
2. Select + Create
3. Choose a name and region, such as "my-laps-demo-rg" and "East US"
4. Proceed to Review + create

Azure CLI

az group create --name my-laps-demo-rg --location eastus

Step 2: Import the LAPS policy definition

The preview policy definition is not built-in to Azure at this time. The following steps illustrate importing it as a custom policy definition.

Azure portal

1. Download the LAPS policy definition JSON to your computer, and open it in your preferred text editor. In a later step, you will copy and paste the contents of this file.
2. In the Azure portal search bar, type Policy and select Policy from the Services results.
3. From the Azure Policy overview, navigate to Authoring > Definitions.
4. Select + Policy definition, and fill in the resulting form as follows:
   1. Definition location: <choose your test Azure subscription>
   2. Name: Configure LAPS for Azure Arc (powered by OSConfig)
   3. Category: Use existing > Guest configuration
   4. Policy rule: Delete the prefilled content, then paste in the JSON from the file in step 1

Azure CLI

If you are using a specialized Azure environment such as a government cloud, you might need to replace management.azure.com in the following command with your local endpoint.

curl -L https://github.com/microsoft/osconfig/releases/download/devtest/LAPS_CustomPolicy.json -o ./temp_laps_policy_def.json

# Note that it is not necessary to manually replace the {subscriptionId} token in the command below. The az rest command
# will automatically replace it with the subscription id from the az account show command.
az rest --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/preview_laps_azure_arc_osconfig?api-version=2023-04-01" --method PUT --body @./temp_laps_policy_def.json

Step 3: Assign the policy to your test resource group

Azure portal

1. From the Policy definition page, select Assign policy
2. Basics tab:
   1. Scope: Select your test resource group (for example, my-laps-demo-rg)
      1. Take care not to select the entire subscription or the wrong resource group
   2. Policy definition: Configure LAPS for Azure Arc (powered by OSConfig)
   3. Assignment name: Configure LAPS for Azure Arc (powered by OSConfig)
3. Parameters tab:
   1. Review the available LAPS parameters (password length, backup directory, etc.). The defaults align with Microsoft security best practices.
   2. If you are testing with an Arc-enabled machine as opposed to an Azure VM, be sure to change "Include Arc connected servers" to true.
4. Remediation tab:
   1. Choose the option to create a managed identity, and choose "system managed"
5. Review + create tab:
   1. Select Create

Azure CLI

RG_ID=$(az group show --resource-group my-laps-demo-rg --query id --output tsv)
az policy assignment create --policy "preview_laps_azure_arc_osconfig" --name "assign_preview_laps_azure_arc" --display-name "Configure LAPS for Azure Arc (powered by OSConfig)" --scope "$RG_ID" --mi-system-assigned --role "Guest Configuration Resource Contributor" --identity-scope "$RG_ID" --location eastus

Step 4: Create a test Windows Server VM

Tip

LAPS for Azure Arc requires Windows Server 2025 or Windows Server 2022 (23H2 and later). This example uses Windows Server 2025. For information on compatible versions, see What is LAPS for Azure Arc?.

Azure portal

1. Create a Windows Server virtual machine with the following choices:
   1. Virtual machine name: my-laps-demo-vm-01
   2. Resource group: The resource group created earlier, e.g., my-laps-demo-rg
   3. Image: Windows Server 2025 Datacenter - x64 Gen2
   4. VM size: Your choice, but note that smaller B-series VM sizes such as Standard_B2s can be a cost-effective option for testing
   5. Administrator account: Set a username and password (you will use this to RDP into the VM)
2. After VM creation, update the VM to work with Machine Configuration:
   1. Add a system assigned identity, if not already present
   2. Add the Machine Configuration extension (labeled in portal as Azure Automanage Machine Configuration)

Tip

The managed identity and Machine Configuration extension steps were performed manually in this guide to provide a linear experience. At scale, these can be satisfied using the Deploy prerequisites to enable Guest Configuration policies on virtual machines built-in policy initiative.

Azure CLI

1. Create a Windows Server VM with a system assigned identity:

   az vm create --name my-laps-demo-vm-01 --resource-group my-laps-demo-rg --image Win2025Datacenter --assign-identity [system] --size Standard_B2s --admin-username azureadmin --admin-password '<YourSecurePassword>'
   

   Tip

   Replace <YourSecurePassword> with a strong password. It is normal to receive a warning similar to "No access was given yet...". It is intentional that no specific access is assigned to the managed identity.

2. Install the Machine Configuration agent as an Azure VM extension:

   az vm extension set --resource-group my-laps-demo-rg --vm-name my-laps-demo-vm-01 --name ConfigurationForWindows --publisher Microsoft.GuestConfiguration --enable-auto-upgrade
   

Important

Take a break before proceeding

Several steps will now happen automatically. Each of these steps can take a few minutes. Accordingly, please wait at least 15 minutes before proceeding.

Step 5: Observe results

Azure portal

1. Navigate to the Azure Policy overview page
2. Click "Compliance" in the left navigation
3. Click on the policy assignment you created, e.g., Configure LAPS for Azure Arc (powered by OSConfig)
4. Review:
   1. Count of machines by compliance state
   2. List of machines with compliance state for each
5. To see per-setting details:
   1. In the list of machines (shown under Resource compliance) select the name of your test machine
   2. Click on View resource to go to the machine overview page
   3. In the left navigation, find and select Configuration management
   4. In the list of configurations, select the LAPS configuration
   5. Use the filter drop-down to Select all to see both compliant and non-compliant settings

Azure CLI

1. List of machines with LAPS compliance state:

   az graph query --query data --output yamlc --graph-query '
   guestconfigurationresources
   | where name contains "LAPS"
   | project ["> Machine"] = split(properties.targetResourceId,"/")[-1],
     ComplianceStatus = properties.complianceStatus,
     LastComplianceCheck = properties.lastComplianceStatusChecked'
   

Step 6: Verify LAPS locally on the test VM

1. Connect to your VM via RDP or Azure Bastion

2. Open an elevated PowerShell window and run:

   Invoke-LapsPolicyProcessing
   Reset-LapsPassword -Verbose
   

3. Open Event Viewer and navigate to Applications and Services Logs > Microsoft-Windows-LAPS

4. Verify that events indicate successful LAPS configuration and password management

For more details on local verification (including Arc-connected machines), see Verifying LAPS configuration locally.

Clean up resources

To avoid ongoing charges, consider deleting the resource group used in this article. For example, the Azure CLI command would be az group delete --name "my-laps-demo-rg".

---

Related content

• What is LAPS for Azure Arc? — Overview, settings reference, and supported operating systems
• For support with problems, contact Microsoft Support
• To provide feedback or discuss feature requests, contact: linux_sec_config_mgmt@service.microsoft.com