Listen to this Post
Introduction:
Local Administrator Password Solution (LAPS) has long been a cornerstone for rotating and securing local admin credentials on on-premises Windows servers. With the preview of LAPS for Azure Arc, Microsoft extends this critical control to hybrid and multicloud environments, allowing centralized management of local administrator passwords for Arc‑enabled servers – whether they run Windows or Linux. This integration closes a major security gap in hybrid IT, where static local admin passwords often become an overlooked attack vector.
Learning Objectives:
- Understand the architecture and security benefits of LAPS for Azure Arc
- Implement automated local admin password rotation for Arc‑enabled Windows and Linux servers
- Integrate LAPS rotation events with Azure Monitor, Log Analytics, and Key Vault for auditing and threat detection
You Should Know:
- What Is LAPS for Azure Arc and How Does It Work?
LAPS for Azure Arc is a preview feature that centralizes local administrator password management through Azure Resource Manager and Azure Key Vault. For each Arc‑connected server, an extension (the LAPS extension) rotates the local admin password on a defined schedule or on demand, stores the password securely in an Azure Key Vault, and logs all operations in Azure Activity Logs.
Step‑by‑step prerequisites:
- Register your on‑premises or cloud VMs as Azure Arc‑enabled servers (using the Azure Connected Machine agent).
- Assign a managed identity to the Arc server.
- Create an Azure Key Vault with soft‑delete and purge protection enabled.
- Grant the server’s managed identity
get,set, and `list` permissions on Key Vault secrets.
Verify Arc agent installation (Linux/Windows):
Linux azcmagent show Windows (PowerShell as admin) azcmagent.exe show
2. Enabling LAPS on Arc-Enabled Servers
The LAPS extension can be deployed via Azure CLI, PowerShell, or ARM templates. Below are verified commands for both Windows and Linux.
Windows (PowerShell):
$settings = @{
Laps = @{
Mode = "Automatic"
BackupSyncInterval = "P1D"
}
}
Set-AzConnectedMachineExtension -Name "LapsExtension" `
-ResourceGroupName "YourRG" `
-MachineName "YourArcServer" `
-Location "eastus" `
-Publisher "Microsoft.Windows.LAPS" `
-ExtensionType "WindowsLaps" `
-Setting $settings
Linux (Azure CLI):
az connectedmachine extension create \
--name "LapsExtension" \
--resource-group "YourRG" \
--machine-name "YourArcLinuxServer" \
--location "eastus" \
--publisher "Microsoft.Linux.LAPS" \
--type "LinuxLaps" \
--settings '{"Laps":{"Mode":"Automatic","BackupSyncInterval":"P1D"}}'
After deployment, the extension automatically rotates the local admin password every 30 days (default). To trigger an immediate rotation:
Azure CLI
az rest --method post --url "https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.HybridCompute/machines/{serverName}/extensions/LapsExtension/forceRotate?api-version=2023-06-20-preview"
3. Automating Password Rotation with Azure Policy
Use Azure Policy to enforce LAPS deployment on all Arc servers and define rotation frequency.
Built‑in policy: `Configure LAPS on Azure Arc‑enabled servers` – assign it to a subscription or management group.
Custom policy snippet (parameter for rotation days):
"parameters": {
"rotationDays": {
"type": "Integer",
"defaultValue": 30,
"metadata": { "description": "Days between password rotation" }
}
}
Assign the policy via Azure CLI:
az policy assignment create --name "ArcLAPS-Enforce" \
--policy "/providers/Microsoft.Authorization/policyDefinitions/configure-arc-laps" \
--params '{"rotationDays":{"value":14}}'
- Auditing and Securing Local Admin Access with Azure Monitor
All LAPS events (rotation, retrieval, failure) are logged in the Azure Activity Log and, if configured, sent to a Log Analytics workspace.
KQL query to detect abnormal password retrievals:
AzureActivity | where OperationName == "Microsoft.KeyVault/vaults/secrets/read" | where ActivityStatus == "Success" | where Resource contains "laps-password" | project TimeGenerated, Caller, ResourceGroup, CorrelationId | summarize by Caller, bin(TimeGenerated, 1h)
Alert rule (PowerShell):
New-AzScheduledQueryRule -Name "LAPS_Retrieval_Alert" ` -ResourceGroupName "YourRG" ` -Location "eastus" ` -Query "AzureActivity | where OperationName contains 'secrets/read' and Resource contains 'laps'" ` -Frequency 15 -TimeWindow 60 -Threshold 1 -Operator "GreaterThan"
For Windows environments, also monitor the LAPS event log locally:
wevtutil epl "Microsoft-Windows-LAPS/Operational" laps_archive.evtx
On Linux, check the LAPS extension logs:
sudo journalctl -u azcmagent | grep LAPS
- Hardening Cloud and API Security for LAPS Integration
Because LAPS relies on Azure Key Vault and managed identities, secure the API path against privilege escalation and credential theft.
Best practices:
- Enable Azure RBAC (not just Key Vault access policies) with least‑privilege roles: `Key Vault Secrets User` for retrieving passwords, `Key Vault Secrets Officer` for rotation.
- Restrict Key Vault network access to specific Azure services and your on‑premises NAT range.
- Purge LAPS secret versions older than 90 days using a PowerShell automation script:
$secrets = Get-AzKeyVaultSecret -VaultName "YourKV" | Where-Object {$<em>.Name -like "laps-"} foreach ($secret in $secrets) { $versions = Get-AzKeyVaultSecret -VaultName "YourKV" -Name $secret.Name -IncludeVersions $versions | Where-Object {$</em>.Version -ne $secret.Version} | Remove-AzKeyVaultSecret -Force }
6. Troubleshooting Common LAPS Deployment Issues
| Issue | Windows Command | Linux Command |
|-|-||
| Extension not appearing | `Get-AzConnectedMachineExtension -MachineName “server”` | `az connectedmachine extension list –machine-name “server”` |
| Managed identity missing | `az vm identity assign –name “ArcVM” –resource-group “RG”` (if Azure VM) | same CLI |
| Key Vault permission denied | Check role assignment: `az role assignment list –assignee “objectId”` | same CLI |
| Rotation never occurs | View extension logs: `%ProgramData%\GuestConfig\extensionLogs\LapsExtension.log` | `/var/lib/GuestConfig/extensionLogs/LapsExtension.log` |
Force a re‑rotation if the password is compromised before the scheduled interval:
Invoke-AzRestMethod -Path "/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.HybridCompute/machines/{serverName}/providers/Microsoft.Windows.LAPS/lapsConfiguration/rotate" -Method POST
What Undercode Say:
- Key Takeaway 1: LAPS for Azure Arc eliminates static local admin passwords across hybrid fleets – but only if you enforce rotation via Azure Policy and secure Key Vault access with conditional access policies.
- Key Takeaway 2: Combining LAPS with Azure Arc and Defender for Cloud’s just‑in‑time (JIT) access creates a non‑persistent administrative model, severely reducing lateral movement risks.
Analysis: The preview signals Microsoft’s commitment to treating on‑premises and multi‑cloud hosts as first‑class Azure resources. However, security teams must avoid a false sense of safety: the extension still depends on the Azure Connected Machine agent’s identity. If that managed identity is over‑permissioned, an attacker could request the current LAPS password from Key Vault. Regular audits of role assignments and Key Vault diagnostic logs are mandatory. Additionally, Linux support, while listed, lacks feature parity with Windows – for example, no native integration with local `sudo` groups. Expect full Linux hardening in GA.
Prediction: Within 12–18 months, LAPS for Azure Arc will become the de facto standard for hybrid identity security, pushing third‑party PAM solutions to differentiate on adjacent features (e.g., SSH key rotation). We will also see AI‑driven anomaly detection for LAPS retrieval patterns – e.g., “an admin retrieved three LAPS passwords from different Key Vaults in 30 seconds” triggering automatic Azure AD Identity Protection policies. Failure to adopt Arc‑based LAPS will become a high‑severity finding in cloud security benchmarks like CIS and NIST SP 800‑207.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jamesvandenberg Winserv – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
