Configure LAPS in Intune using Microsoft Graph PowerShell

Maybe you are a service provider and find yourself deploying the same configurations over and over again manually. It can be time-consuming and prone to error, especially if the tasks are mundane. The solution is to utilise PowerShell scripting to deploy your configurations for you. A well-written PowerShell script can review and deploy configurations in a fraction of the time it takes to deploy them manually using the equivalent web portals.

In this post I will demonstrate a script I have written to automatically deploy Windows LAPS configurations in Intune with Microsoft Graph PowerShell.

If you haven’t already seen my post detailing how to configure Windows LAPS using Intune manually, check out that post now as it will add perspective to what this post is all about. 

Requirements

The script utilises the Microsoft Graph PowerShell SDK to interact with Microsoft Intune. You must ensure you have the Microsoft.Graph.Authentication module installed. 

Check out my post on How to Install The Microsoft Graph PowerShell modules. Or allow the script to find and deploy the module itself.

You will also need to log in with a Global Administrator account to run the script as you will need to consent to the required Graph API permissions.

Configure Windows LAPS in Intune with Microsoft Graph PowerShell

Access the deployment script from my GitHub: Create-LAPS.ps1. Note: This script will not assign any users/devices to these policies, that must be done manually.

Start by downloading the deployment script and modifying the $accountname variable. This will define the LAPS user to be created and used throughout the script.

Windows LAPS user account
Windows LAPS user account

The script will process tasks in the following order:

1. Check if the Microsoft.Graph.Authentication module is installed; if not, install it in the current user context.

2. Connect to Microsoft Graph and prompt to consent to the following scopes: Policy.ReadWrite.DeviceConfiguration, DeviceManagementConfiguration.ReadWrite.All.

3. Check if Microsoft Entra LAPS is enabled within the tenant and enable it if not.

4. Create a LAPS account protection policy with the following settings:

Policy Name                     :   Windows LAPS
Backup location                :   Microsoft Entra
Password age                   :   7 days
Password length               :   Not configured (default 14 days)
Account name                   :   $accountname
Complexity level                :   4
Post authentication action :   Reset password
Post authentication delay  :   1 hour

5. Create a remediation package to upload a pre-set script to create the LAPS user account with the defined username. (This utilises the scripts found in my blog: How to create a local admin account on Windows devices with Intune).

6. Disconnect from Microsoft Graph

Once run, the script will work through the tasks in seconds and output like the following:

Intune LAPS script flow
Intune LAPS script flow

Wrapping up

This script aims to speed up the deployment of resources in Intune, not necessarily to help you migrate to Windows LAPS. You must still carefully plan your deployment with the customer to cover items such as custom roles, permissions, ownership, and support, whether you are implementing for the first time or migrating from on-premise LAPS.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply