Windows LAPS Azure AD Custom Role and Administrative Units
If you are looking for a way to granularly control access to LAPS local admin passwords, you should consider Azure Administrative Units.
How it works
You can collect users, groups and devices into a virtual container, called Administrative Unit (AU).
Membership election can be assigned, but also Dynamic User/Device.
Here you can add Roles and administrators. All these assignments are only effective for the users, groups and devices in the Administrative Unit.
Now for example a Cloud Device Administrator in AU Switzerland can only retrieve the LAPS password for the Devices which are in the AU Switzerland.
Custom Azure AD role for LAPS
You can build a custom Azure AD role with the following permission paths:
"microsoft.directory/deviceLocalCredentials/standard/read"
"microsoft.directory/deviceLocalCredentials/password/read"
Role can be added to Privileged Identity Management (PIM) but not for the Administrative Unit scope.
