top of page
Search

LAPS: One of the Most Overlooked Microsoft 365 Security Wins

  • Writer: Kyle Cira
    Kyle Cira
  • Mar 18
  • 2 min read
LAPS
LAPS

When it comes to Microsoft 365 security, some of the most impactful controls are also the simplest to implement.

One of those controls is Local Administrator Password Solution (LAPS).


What Is LAPS?

LAPS is a security feature within Microsoft Entra that protects the local administrator account on Entra-joined devices.

At a high level, it solves a very common—and very dangerous—problem.


The Problem LAPS Solves

In many environments, workstations are provisioned with a shared local administrator account and a static, documented password.

That creates a major risk:

  • If one machine is compromised

  • And the attacker extracts the local admin credentials

  • They can potentially access every workstation in the environment

This is a classic example of credential reuse leading to lateral movement.


How LAPS Fixes It

LAPS eliminates this risk by:

  • Automatically rotating the local administrator password on a defined schedule

  • Assigning a unique password per device

  • Enforcing complexity requirements you define

  • Storing the password securely in Microsoft Entra

This means that even if one device is compromised, the attacker cannot reuse those credentials elsewhere.


Operational Benefits

Beyond the security improvements, LAPS also reduces IT overhead:

  • No need to manually track or rotate passwords

  • No need to maintain insecure documentation of shared credentials

  • Simple retrieval of the password from Entra when needed for support

It’s one of those rare controls that improves both security and operational efficiency.


Important Post-Implementation Step

After implementing LAPS, there’s one step organizations often overlook:

Update your device onboarding process and documentation

Any legacy processes that include:

  • Shared local admin passwords

  • Written or stored credentials

…should be updated or removed immediately.

Otherwise, you risk reintroducing the very vulnerability LAPS was designed to eliminate.


Final Thoughts

LAPS is a straightforward control that delivers outsized security value.

It directly mitigates one of the most common paths attackers use to move laterally through an environment—and it does so with minimal ongoing effort.

If you’re not using LAPS today, it’s worth serious consideration.


Work With Redeemer Cyber

We’re actively onboarding partners and clients who want to work with an organization that combines:

  • Deep CIS M365 Benchmark development involvement

  • Deep Microsoft 365 security expertise

  • Real-world implementation experience

  • Strong ethical foundation

Contact Redeemer Cyber today so we can make a difference together.

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page