If you are looking for a way to granularly control access to LAPS local admin passwords, you should consider Azure Administrative Units. How it works You can collect users, groups and devices into a virtual container, called Administrative Unit (AU). Membership election can be assigned, but also Dynamic User/Device. Here you can add Roles and administrators. All these assignments are only effective for the users, groups and devices in the Administrative Unit.