Role based access controls for LAPS and viewing in Intune.

HyperSnorlax 20 Reputation points
2024-08-22T08:35:30.6966667+00:00

Hello,

I've created a new role in Entra and assigned it the following permission:

microsoft.directory/deviceLocalCredentials/password/read

This new role has been granted to various users.

I expected this to enable the "Local Admin Password" page within Intune, but it remains greyed out. However, you can manually access the page by modifying the URL from:

https://intune.microsoft.com/#view/Microsoft_Intune_Devices/DeviceSettingsMenuBlade/~/overview/mdmDeviceId/DEVICEID

to:

https://intune.microsoft.com/#view/Microsoft_Intune_Devices/DeviceSettingsMenuBlade/~/localAdminPassword/mdmDeviceId/DEVICEID

Is this the intended behaviour?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
826 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,919 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,176 questions
Accepted answer
  1. Raja Pothuraju 7,135 Reputation points Microsoft Vendor
    2024-09-07T00:21:35.45+00:00

    Hello @HyperSnorlax,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Unable to access LAPS password

    Solution: To use device action, your account must have the following Intune permission:

    Managed devices: Read

    Organization: Read

    Created custom role on Intune to set Rotate Local Admin Password to “yes” User's image User's image

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,
    Raja Pothuraju.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. HyperSnorlax 20 Reputation points
    2024-08-23T08:07:47.7666667+00:00

    Sure, I have created a role in entra.microsoft.com and given it the permission

    microsoft.directory/deviceLocalCredentials/password/readUser's image

    As shown above. When a user with this role visits the intune portal and looks at a device, the Local admin password option is grey

    User's image

    But changing the URL as shown below will allow you to view the password.

    User's image

    As the permission has been granted to view the LAPS password, I would expect the Local admin password link to be live and not grey.

  2. HyperSnorlax 20 Reputation points
    2024-09-05T10:25:36.9333333+00:00

    This is now resolved, an additional role permissions were required within Intune.Managed devices | Read

    Organization | Read

    Remote tasks | Rotate Local Admin Password

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.