PowerShell module for retrieving and managing Microsoft LAPS (Local Administrator Password Solution) credentials from Entra ID devices via Microsoft Graph API. Features an interactive TUI for device search, password retrieval, clipboard copy, and on-demand password rotation. Browser-based authentication with optional custom app registration support. Cross-platform compatible with Windows, macOS, and Linux. Just run Start-LAPS — works out of the box with no configuration, or bring your own app registration for full control.
- Device Search: Search Entra ID devices by name with real-time results
- Password Retrieval: Retrieve LAPS local admin credentials via Microsoft Graph
/directory/deviceLocalCredentialsendpoint - Clipboard Copy: Copy passwords to clipboard with
Ctrl+Cdirectly from the result screen - On-Demand Rotation: Trigger immediate LAPS password rotation for Intune-managed devices
- Interactive TUI: Arrow-key navigation, dynamic control bar, and inline prompts
- Browser Authentication: Secure MSAL-based browser authentication with branded success/error pages
- Persistent Configuration: Save custom app registration credentials as environment variables
- Cross-Platform: Works on Windows, macOS, and Linux
- Auto-Dependencies: Automatically installs required MSAL libraries on first run
- Scope Validation: JWT token inspection warns immediately if required permissions are missing
Install-Module -Name Intune-LAPS -Repository PSGalleryInstall-PSResource -Name Intune-LAPS -Repository PSGalleryComing Soon: This module will be published to the PowerShell Gallery shortly.
Start-LAPSThat's it! The tool will:
- Check prerequisites and load MSAL libraries
- Open your browser for authentication
- Present a search prompt for device names
- Display LAPS credentials with options to copy or rotate
LAPS requires an Entra ID app registration with specific delegated permissions. The default Microsoft public client ID may not have DeviceLocalCredential.Read.All pre-consented in your tenant, so a custom app registration is recommended.
- Go to Microsoft Entra ID > App registrations > New registration
- Name it something like
LAPS-PowerShell - Under Authentication:
- Platform: Mobile and desktop applications
- Redirect URI:
http://localhost - Allow public client flows: Yes
- Under API permissions, add the following Delegated permissions:
| Permission | Purpose |
|---|---|
Device.Read.All |
Search and read device information |
DeviceLocalCredential.Read.All |
Retrieve LAPS passwords |
DeviceManagementManagedDevices.PrivilegedOperations.All |
Rotate LAPS passwords (optional) |
- Click Grant admin consent for your organization
Note:
DeviceLocalCredential.Read.Allrequires admin consent. Without it, authentication will succeed but password retrieval will fail. The tool validates granted scopes after login and warns if this permission is missing.
Note: The rotation permission (
DeviceManagementManagedDevices.PrivilegedOperations.All) is only required if you want to trigger on-demand password rotation. It uses the Intune beta API endpoint.
Configure your app registration once and use Start-LAPS without parameters going forward:
# Configure once
Configure-LAPSYou'll be prompted to enter your Client ID and Tenant ID. These are saved as user-level environment variables that persist across PowerShell sessions.
On Windows: Saved to user-level environment variables automatically.
On macOS: You'll be offered the option to add the configuration to your PowerShell profile for persistence.
After configuration:
Start-LAPSTo remove the saved configuration:
Clear-LAPSConfigFor temporary use of a custom app registration (single session only):
Start-LAPS -ClientId "<your-client-id>" -TenantId "<your-tenant-id>"| Command | Description |
|---|---|
Start-LAPS |
Launch the LAPS password retrieval TUI |
Configure-LAPS |
Set up persistent custom app registration configuration |
Clear-LAPSConfig |
Remove saved configuration and return to default auth |
Get-LAPSHelp |
Display comprehensive help and command reference |
| Shortcut | Action |
|---|---|
| Type | Enter device name |
| ENTER | Search |
| ESC | Back / Exit |
| Ctrl+Q | Disconnect and exit |
| Shortcut | Action |
|---|---|
| ↑/↓ | Navigate device list |
| ENTER | Select device |
| ESC | Back to search |
| Ctrl+Q | Disconnect and exit |
| Shortcut | Action |
|---|---|
| Ctrl+C | Copy password to clipboard |
| R | Rotate password (with Y/N confirmation) |
| S | New search |
| ESC | Back to search |
| Ctrl+Q | Disconnect and exit |
LAPS uses MSAL (Microsoft Authentication Library) for browser-based interactive authentication. On launch, it:
- Loads MSAL assemblies from the local NuGet cache or falls back to the Az.Accounts module
- Compiles a C# helper class (
LAPSBrowserAuth) for browser-based token acquisition - Opens your default browser for sign-in with a branded success/error page
- Acquires a delegated access token with the required Graph scopes
- Validates the JWT token to confirm all required scopes were granted
Searches use the Microsoft Graph /v1.0/devices endpoint with a startsWith filter on displayName. This is an advanced query requiring the ConsistencyLevel: eventual header and $count=true parameter.
LAPS credentials are retrieved in two steps:
- Lookup:
GET /v1.0/directory/deviceLocalCredentials?$filter=deviceName eq '{name}'— finds the credential info object by device name - Retrieve:
GET /v1.0/directory/deviceLocalCredentials/{id}?$select=credentials— fetches the actual password data
The password is returned as a base64-encoded string and decoded (UTF-8) for display.
Important: The endpoint path must include
/directory/. The beta endpoint and non-directory variants return errors.
On-demand rotation uses the Intune beta API:
- Lookup:
GET /v1.0/deviceManagement/managedDevices?$filter=deviceName eq '{name}'— resolves the Intune managed device ID - Rotate:
POST /beta/deviceManagement/managedDevices/{id}/rotateLocalAdminPassword— triggers rotation
The new password is generated on the device and backed up to Entra ID on its next check-in. The old password remains valid until rotation completes.
- PowerShell 7.0+
- MSAL Libraries (auto-resolved from one of):
- Local NuGet cache (
~/.nuget/packages/microsoft.identity.client) - Az.Accounts module (auto-installed if needed)
- Local NuGet cache (
- Entra ID App Registration with admin-consented delegated permissions
- LAPS configured on target devices (Windows LAPS backed up to Entra ID)
- Intune enrollment (only required for password rotation)
Your app registration is missing the DeviceLocalCredential.Read.All delegated permission, or admin consent has not been granted. Add the permission in the Azure portal and click Grant admin consent.
- The device may not have LAPS configured
- LAPS credentials have not been backed up to Entra ID yet
- The device name doesn't match exactly
Password rotation requires the device to be enrolled in Microsoft Intune. Hybrid Azure AD joined devices managed only by on-premises Active Directory cannot be rotated through Graph API.
Your account does not have sufficient permissions. Ensure:
- The app registration has the correct delegated permissions
- Admin consent has been granted
- Your user account has the appropriate Entra ID role (e.g., Cloud Device Administrator)
The search uses startsWith matching on device display names. Ensure you're typing the beginning of the device name, not a substring from the middle.
LAPS, Entra, Azure, Identity, Security, MicrosoftGraph, LocalAdmin, Password, CrossPlatform, TUI, Intune, PowerShell