Windows LAPS Azure AD Custom Role and Administrative Units

Niklas Tinner
Apr 28, 2023

If you are looking for a way to granularly control access to LAPS local admin passwords, you should consider Azure Administrative Units.

How it works

You can collect users, groups and devices into a virtual container, called Administrative Unit (AU).

Membership election can be assigned, but also Dynamic User/Device.

Administrative Unit

Here you can add Roles and administrators. All these assignments are only effective for the users, groups and devices in the Administrative Unit.

Roles and administrators

Now for example a Cloud Device Administrator in AU Switzerland can only retrieve the LAPS password for the Devices which are in the AU Switzerland.

Custom Azure AD role for LAPS

You can build a custom Azure AD role with the following permission paths:



Create custom role

Role can be added to Privileged Identity Management (PIM) but not for the Administrative Unit scope.