This article was translated from German with the help of Claude.
Welcome to my next blog article.
You have successfully deployed LAPS (Local Administrator Password Solution) in your environment – an important step towards better security and compliance. But what comes next? Many organizations want to take the next comfort step: integrating password retrieval into their self-service.
In this article, I’ll show you exactly how to do that – using the Microsoft Graph API in combination with a Logic App. This allows you to automate the process and provide your users with a simple, secure way to retrieve the administrator passwords they need on their own.
All you need for this scenario is a Microsoft Forms form and a Logic App.
Step 1 – Trigger #
Every Logic App needs a trigger. In my scenario, I use a Microsoft Forms form where the requesting user enters the required information. The most important piece of information is the name of the device for which the LAPS password is needed.
Additionally, other helpful details can be collected – for example, information relevant to creating a ticket in the IT system. It can also be useful to capture a justification that is subsequently stored in the ticket.
After creating the form, we now integrate it into our Logic App. The first step is to configure the trigger to respond to new form submissions. As soon as a user fills out the form, the Logic App is automatically started.
In the next step, we retrieve the submitted response data. This data forms the basis for all subsequent actions in our workflow. Typically, this includes the device name for which the LAPS password is needed, as well as additional details like a ticket number or justification.
We can then flexibly process this information in the following steps.
Step 2 – Authorize the Managed Identity #
Before we integrate the Graph API calls into our Logic App, we need to ensure that the necessary permissions are in place. For authentication, we use the Logic App’s Managed Identity.
How to set up a Managed Identity and assign the appropriate permissions can be found in the official Microsoft documentation. It is important that the Logic App’s identity receives the following Microsoft Graph permissions:
- Device.Read.All – to retrieve device information such as the Device ID
- DeviceLocalCredential.Read.All – to read the LAPS passwords
These permissions must be configured as Application Permissions in the app registration and approved by an administrator. Only then can the Logic App successfully access the required data.
The following PowerShell script helps you with this:
#Connect to AzureAD with an appropriate admin account
Connect-AzureAD
#New Service Principal Permissions using Azure AD module
$ServicePrincipalId = <ID of your managed identity>
# App ID of the required Graph API
$GraphResource = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
#Set role DeviceLocalCredential.Read.All
$Permission = $GraphResource.AppRoles | Where-Object {$_.value -eq 'DeviceLocalCredential.Read.All'}
New-AzureADServiceAppRoleAssignment -ObjectId $ServicePrincipalId -PrincipalId $ServicePrincipalId -Id $Permission.Id -ResourceId $GraphResource.ObjectId
#Set role Device.Read.All
$Permission = $GraphResource.AppRoles | Where-Object {$_.value -eq 'Device.Read.All'}
New-AzureADServiceAppRoleAssignment -ObjectId $ServicePrincipalId -PrincipalId $ServicePrincipalId -Id $Permission.Id -ResourceId $GraphResource.ObjectIdBefore executing the calls in the Logic App, it may be wise to wait a few minutes or hours until the permissions are fully effective.
Step 3 – Determine the Device ID #
To retrieve the LAPS password for a specific device via the Microsoft Graph API, we first need the Device ID. This ID is the unique key that the API expects for accessing the local administrator credentials.
Since we currently only have the device name, we first need to resolve it to the corresponding Device ID. To do this, we execute a GET request to the Graph endpoint, passing the dynamic value from Forms:
https://graph.microsoft.com/v1.0/devices?$filter=displayName+eq+'<dynamic_content_forms_Device Name>'Make sure you use both the correct URI and the right HTTP method. To insert the dynamic value from the Microsoft Forms form, you can use the “/” shortcut. This opens a selection menu showing all available dynamic content.
Finally, it is crucial to configure the correct authentication. For this, we use the Managed Identity created at the beginning.
In the HTTP action, select Managed Identity as the authentication type. The Audience field must be set to:
00000003-0000-0000-c000-000000000000This value represents Microsoft Graph and is required for the Logic App to successfully execute the API calls.
The API call returns a JSON response that we need to prepare for further processing. For this, we use the “Parse JSON” action in the Logic App.
- In the Content field, we specify the dynamic value Body from the previous HTTP call.
- Then we provide the matching schema so that the Logic App knows the structure of the response, allowing us to easily reference individual values (e.g., the password) in the next steps.
We have now determined the required Device ID from the specified device name.
Step 4 – Retrieve the LAPS password #
With the determined Device ID, we can now retrieve the LAPS password. To do this, we execute another Graph API call that uses the Device ID as a parameter.
The corresponding endpoint is:
https://graph.microsoft.com/beta/directory/deviceLocalCredentials<dynamic Device ID>?$select=credentialsAdditionally, in this step we need to include certain header information for the API call to be processed correctly. These include:
User-Agent = Dsreg/10.0 (Windows 10.0.19043.1466)ocp-client-name = My Friendly Clientocp-client-version = 1.2
Don’t forget to configure the correct authentication again at the end – as described above, via the Managed Identity with the corresponding Audience value for Microsoft Graph.
Depending on the LAPS configuration and the set password validity period, the API call may return multiple valid passwords. For this reason, the Logic App automatically creates a “For Each” loop at this point to process all returned entries.
Note: To ensure you use the most current password, check the
backupDateTimefield in the JSON response. Sort the entries by this value and select the password with the most recent timestamp. In the Logic App, you can implement this using a “Select” action followed by a “Sort” function before processing the first element.
Step 5 – Deliver the password to the user #
Now that we have successfully retrieved the password, we of course need to deliver it to the user. In my example, I use Microsoft Teams and send a chat message to the user who submitted the form via the Flow Bot. This requires an additional account to establish a Teams connection. Alternatively, a ticketing system or other tool can be used for this purpose.
The name of the local admin can again be obtained via a dynamic query from the Graph call.
The password returned by the Graph API is Base64-encoded. Before we display it in the message, we need to decode it. In the Logic App, this is easily done using the decodeBase64() function:
decodeBase64(item()?['passwordBase64'])This ensures that the user receives the password in plain text without needing to perform any additional steps.
Conclusion #
The combination of Microsoft Forms, Logic Apps, and the Microsoft Graph API allows for efficient and secure automation of LAPS password retrieval. The process not only offers convenience for users but also ensures traceability and reduces manual intervention. Through the use of Managed Identities, clearly defined permissions, and best practices like logging and justification, the solution remains secure and compliant. The process can be further customized and extended, for example with an approval workflow.