Pricing Request a trial or quote Downloads

Setting up Microsoft LAPS for Entra

PreviousSetting up Microsoft LAPS for Active Directory NextSetting up Lithnet LAPS

Last updated 10 months ago

Was this helpful?

Setting up Microsoft LAPS for Entra

Lithnet Access Manager provides a convenient web-based interface for accessing local admin passwords that have been stored in Entra ID by Windows LAPS.

This guide assumes that you have the Windows LAPS agent deployed and configured appropriately. Test access to the LAPS passwords using the Entra portal first to make sure it is configured correctly.

This guide focuses on setting up support for Windows LAPS passwords stored in Microsoft Entra. See our other guide for passwords stored in .

Step 1: Configure a new application in Entra ID

Follow the steps in to create the app registration for Access Manager. Take note of the tenant ID, client ID and secret created here as they will be used in the next step.

Ensure that the appropriate API permissions have been granted for the Accessing LAPS passwords stored in Entra scenario.

Step 2: Configure the service account details in Access Manager

Open the Lithnet Access Manager Service Configuration Tool
Select the Directory configuration/Microsoft Entra page
Press the Add... button to add a new tenant configuration
Add the client ID, secret, and directory/tenant ID in the fields provided
Save the tenant configuration

You may need to wait a minute or two for the secret and delegation to become active

Step 3: Assign access

The final step is to create an authorization rule, granting permission for your selected users and groups to access the LAPS passwords for the specified computers.

From the Authorization rules/Computers page, select Add... to create a new rule. Select the Entra ID tenant, device group, or computer you want to assign access to, and provide a friendly description for this rule. This will appear in audit logs if a user is granted access.

Expand the Access control section and select Edit Permissions... to open the ACL editor.

When a computer is using Microsoft's Windows LAPS agent, and it is configured to store its password in Microsoft Entra, then forced password rotation by Access Manager is not possible. Entra ID does not provide an API that AMS can use to indicate to the machine that the password should be rotated.

If you'd like to be notified when someone accesses a LAPS password, select the notification channels you'd like to send to for success and failure events.

Step 4: Validate access

Log in to the Access Manager web app as an authorized user, and request access to the password for a computer. If you have performed the steps correctly, you should be able to see the machine's password.