How to Create Custom RBAC Role in Intune for LAPS Password Administrator

Windows Local Administrator Password Solution (LAPS) from Microsoft allows you to manage and rotate local administrator passwords on Windows devices. A custom RBAC role in Intune is required if you want to delegate the password administration to help desk members. The password administration for Windows LAPS include retrieving the password for a Windows device from Microsoft Intune console and rotating the password for a device based on requirements.

Let’s go through the below post to understand the steps required to delegate LAPS password administration to IT help desk by creating a custom Role Based Access Control (RBAC) role.

Create Azure AD Group

An Azure AD group is required to simplify RBAC process. The user who need to work on Windows LAPS password administration, can be simply added to this AAD group to get all necessary access. Follow the below steps to create an Azure Active Directory group.

  • On the Azure portal, go to Azure Active Directory > Groups and click on New Group

Create Azure AD Group

  • On the New Group page, provide the following details.
    • Group Type : Security
    • Group Name: Provide group name as per your organization naming standards
    • Azure AD roles can be assigned to the group : Select Yes.
    • Membership Type: Assigned
    • Members: Add the user if you want to add any at this point of time.

Click on Create to create AAD group.

Create Azure AD Group

  • Click Yes on the message box.

Create Azure AD Group

Create Azure RBAC Custom Role to View password

The next step is to create a custom AAD role to view Windows LAPS password. As of now Windows LAPS is in preview and no built-in role available in Azure AD for this. To view password details, your account must have one of the following Azure Active Directory permissions:

  • microsoft.directory/deviceLocalCredentials/password/read
  • microsoft.directory/deviceLocalCredentials/standard/read

Follow the below steps to create a custom RBAC role in Azure AD.

  • On the Azure portal, navigates to Azure Active Directory > Roles and administrators , and click on “New custom role

Create Azure AD role

  • On the next page, provide role name, description and click on Next.

Create Azure AD role

  • On the Permission page, search for microsoft.directory/deviceLocalCredentials and select the permissions from the result.

Create Azure AD role

  • On the Review + create page, review the details and click on Create.

Create Azure AD role

Assign Azure AD Custom Role

We have created Azure AD custom role in last step. Now this role need to be assigned to Azure AD Group which we created earlier.

  • On the Role and administrator page, search for AD group you created for LAPS and click on the group.

Assign Azure AD Role

  • Click on Add assignments.

Assign Azure AD Role

  • On the Add assignments > Membership, select the following.
    • Scope type : Directory
    • Select members : Select the AAD group you created for LAPS password administrators.
  • Click on Next

Assign Azure AD Role

  • On the Add assignments > Settings page, select Active in Assignment type, provide the justification and click on Assign button.

Assign Azure AD Role

  • The role is now assigned to the AAD group. You can see the details in Assignment blade.

Assign Azure AD Role

Create Custom RBAC Role in Intune for LAPS Password Administration

We will now create a custom RBAC role in Intune for LAPS password administration. This role allows user to access “Local Admin Password” blade for a device, view and rotate local admin password.

  • On the Microsoft Intune admin center, navigates to Tenant administration > All roles and click on Create

Custom RBAC Role in Intune

  • On the Basic page, provide the role name and description. click on Next.

Intune RBAC Role

  • On the Permission page, select the following permissions.
    • Manage Device: Read
    • Organization: Read
    • Remote tasks: Rotate Local Admin Password
  • Click on Next

Intune RBAC Role

  • On the Review + create page, review the details and click on Create.

Intune RBAC Role

  • The role is now created and you can see the the same in All roles. Click on newly created role to assign the role to Azure AD group.

Intune RBAC Role

  • On the Assignments page, click on Assign link.

Intune RBAC Role

  • On the Add Role Assignment > Basics page, provide the name and description for role assignment and click on Next.

Intune RBAC Role

  • On the Admin Groups page, click on Add groups and select the AAD group you created for LAPS administrators.

Intune RBAC Role

  • On the Scope Groups, select the All Devices and click on Next.

Intune RBAC Role

  • On the Review + create page, review the settings and click on Create.

Intune RBAC Role

The Intune role assignment steps are now completed. User who are part of the Azure AD group can now able to view local admin password for a device. They can also rotate / change the password if required.

LAPS Password Administrators – Experience

When LAPS Administrator logon to Intune console, they can access Local admin password blade and view local admin password.

Intune Windows LAPS

They can also access Rotate local admin password option by clicking on 3 dots at top right. The other options are grayed out in below screen as we have granted only LAPS password administration privilege to Azure AD group. If same user is part of other roles, they would be able to perform other actions as well based on the permissions the have.

Intune LAPS Rotate Local admin password

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top