Home » IAMSYSADMIN

Building a Secure LAPS Password Portal with Azure and Microsoft Graph

Posted on 07/04/202610/04/2026 by Remy Kuster

We are planning to implement Local Administrator Password Solution, but the first thing I wondered was how inconvenient it would be for support engineers and helpdesk staff to retrieve LAPS account and password. Log into the Intune portal, navigate to the devices tab, search for the device, and dig through the properties to find the LAPS password — every single time they need an admin account. That had to be faster.

So (with some help of a good friend) I built the LAPS Portal: an Azure Web App with an Azure Function App as the backend, secured by two app registrations for authentication and Graph API calls. It runs at no extra cost and works on any device. Especially useful when you’re standing next to a device in the field and need the LAPS account and password right then and there — just open the portal on your phone, type the device name, and you’re done.

Here is exactly how you can set this up.

Soft‑Deleted Entra ID Group Broke an Intune Role

Posted on 11/03/202611/03/2026 by Remy Kuster

Recently, I ran into a confusing Intune issue that looked like a permissions problem… but turned out to be something completely different and far more subtle.
If you work with Intune RBAC, custom roles and scope tags, this story may save you a lot of troubleshooting.

Create a Custom Entra ID Role to View LAPS Passwords in Microsoft Intune

Posted on 26/01/202604/02/2026 by Remy Kuster

We’re planning to roll out Windows Local Administrator Password Solution (LAPS), and a key requirement is that our helpdesk staff and workplace admins can access the LAPS password. This post shows how to view LAPS passwords in Intune without granting to much permissions. I will explain how to create a custom Microsoft Entra ID role that allows controlled visibility of LAPS passwords, and how to integrate this role seamlessly with existing Privileged Identity Management (PIM) group.