Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the Get-LapsAADPassword
cmdlet.
Kudos to Niklas Tinner as he brought this to my attention while working together.
Where is this command originating from?
The Get-LapsAADPassword
cmdlet is part of the LAPS
PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates.
The module is maintained as part of the Operating System and builds the Interface to interact with Windows LAPS locally on a device. The module binaries reside within C:\Windows\system32\WindowsPowerShell\v1.0\Modules\LAPS
and consist of DLLs and PowerShell files:
Let’s retrieve some passwords
Before we can start retrieving passwords we need to make sure, that we have the appropriate Microsoft Graph PowerShell SDK module present.
We can easily check this with the following PowerShell command:
Get-Module -Name Microsoft.Graph -ListAvailable
If you do not retrieve any output, you need to install the module with local Administrator privileges with:
Install-Module -Name Microsoft.Graph.Authentication
Afterwards, we need to connect to Microsoft Graph (requesting an access token for the API) with the right OAuth 2.0 scopes to ensure we have access to the LAPS passwords stored within Azure AD. To do so, we can use the following command:
Connect-MgGraph -Scopes "DeviceLocalCredential.Read.All" -ContextScope Process
Afterwards we are asked to confirm the consent to the OAuth 2.0 scope (this requires the Azure AD application administrator role or might trigger an app consent flow):
To query the clear text passwords for a device, you can call the following commandlet:
Get-LapsAADPassword -DeviceIds NT-699549436914 -IncludePasswords -AsPlainText
The -DeviceIds
parameter takes both device display names and Azure AD device Ids. But be careful when you have duplicate device names in your Azure AD tenant.
By adding the -IncludeHistory
Parameter we also receive the password history for the specified device:
Summary
Hoping that with this quick article you learn somethin new about Windows LAPS and the usage of Microsoft Graph PowerShell under the hood let’s close this article. Microsoft provies additional documentation for LAPS related commandlet within their docs pages.
Happy password (history) retrieval!
P.S.: If you haven’t read the following posts about LAPS you’re definitely missing out: