Retrieving Windows LAPS Azure AD Passwords with PowerShell

Nicola
3 min readMay 10, 2023

--

Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the Get-LapsAADPassword cmdlet.

Kudos to Niklas Tinner as he brought this to my attention while working together.

Where is this command originating from?

The Get-LapsAADPassword cmdlet is part of the LAPS PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates.

The module is maintained as part of the Operating System and builds the Interface to interact with Windows LAPS locally on a device. The module binaries reside within C:\Windows\system32\WindowsPowerShell\v1.0\Modules\LAPS and consist of DLLs and PowerShell files:

Windows LAPS PowerShell module binaries

Let’s retrieve some passwords

Before we can start retrieving passwords we need to make sure, that we have the appropriate Microsoft Graph PowerShell SDK module present.

We can easily check this with the following PowerShell command:

Get-Module -Name Microsoft.Graph -ListAvailable

If you do not retrieve any output, you need to install the module with local Administrator privileges with:

Install-Module -Name Microsoft.Graph.Authentication

Afterwards, we need to connect to Microsoft Graph (requesting an access token for the API) with the right OAuth 2.0 scopes to ensure we have access to the LAPS passwords stored within Azure AD. To do so, we can use the following command:

Connect-MgGraph -Scopes "DeviceLocalCredential.Read.All" -ContextScope Process

Afterwards we are asked to confirm the consent to the OAuth 2.0 scope (this requires the Azure AD application administrator role or might trigger an app consent flow):

Consent request

To query the clear text passwords for a device, you can call the following commandlet:

Get-LapsAADPassword -DeviceIds NT-699549436914 -IncludePasswords -AsPlainText

The -DeviceIds parameter takes both device display names and Azure AD device Ids. But be careful when you have duplicate device names in your Azure AD tenant.

By adding the -IncludeHistory Parameter we also receive the password history for the specified device:

Get-LapsAADPassword with the password history

Summary

Hoping that with this quick article you learn somethin new about Windows LAPS and the usage of Microsoft Graph PowerShell under the hood let’s close this article. Microsoft provies additional documentation for LAPS related commandlet within their docs pages.

Happy password (history) retrieval!

P.S.: If you haven’t read the following posts about LAPS you’re definitely missing out:

--

--

Nicola
Nicola

Written by Nicola

Interested in endpoint management, security, identity and automation. #Intune #AzureAD #Defender #PowerShell #Azure

No responses yet