Windows LAPS Azure AD and Administrative Units


If you are looking for a way to granularly control access to LAPS local admin passwords, you should consider Azure Administrative Units.

How it works

You can collect users, groups and devices into a virtual container, called Administrative Unit (AU).

Membership election can be assigned, but also Dynamic User/Device.

Administrative Unit

Here you can add Roles and administrators. All these assignments are only effective for the users, groups and devices in the Administrative Unit.

Roles and administrators

Now for example a Cloud Device Administrator in AU Switzerland can only retrieve the LAPS password for the Devices which are in the AU Switzerland.