Intune » IAMSYSADMIN

Building a Secure LAPS Password Portal with Azure and Microsoft Graph

04/06/202607/04/2026 by Remy Kuster

We are planning to implement Local Administrator Password Solution, but the first thing I wondered was how inconvenient it would be for support engineers and helpdesk staff to retrieve LAPS account and password. Log into the Intune portal, navigate to the devices tab, search for the device, and dig through the properties to find the LAPS password — every single time they need an admin account. That had to be faster.

So (with some help of a good friend) I built the LAPS Portal: an Azure Web App with an Azure Function App as the backend, secured by two app registrations for authentication and Graph API calls. It runs at no extra cost and works on any device. Especially useful when you’re standing next to a device in the field and need the LAPS account and password right then and there — just open the portal on your phone, type the device name, and you’re done.

Here is exactly how you can set this up.

Soft‑Deleted Entra ID Group Broke an Intune Role

11/03/2026 by Remy Kuster

Recently, I ran into a confusing Intune issue that looked like a permissions problem… but turned out to be something completely different and far more subtle.
If you work with Intune RBAC, custom roles and scope tags, this story may save you a lot of troubleshooting.

Create a Custom Entra ID Role to View LAPS Passwords in Microsoft Intune

04/02/202626/01/2026 by Remy Kuster

We’re planning to roll out Windows Local Administrator Password Solution (LAPS), and a key requirement is that our helpdesk staff and workplace admins can access the LAPS password. This post shows how to view LAPS passwords in Intune without granting to much permissions. I will explain how to create a custom Microsoft Entra ID role that allows controlled visibility of LAPS passwords, and how to integrate this role seamlessly with existing Privileged Identity Management (PIM) group.

Assign Intune device category based on users department property

05/04/202414/02/2024 by Remy Kuster

macOS devices enrolled via Apple Business Manager don’t have the option to be enrolled to Intune with a group tag like Windows devices. With a group tag you can create a dynamic device group and then auto assign a scope tag to those devices. So it would be nice to think of something so macOS devices also could be added to a dynamic group and then auto assign a scope tag to those devices. In order to achieve this I created a PowerShell script with Intune Graph to auto assign a (department) category to the macOS Intune managed devices based on the users department property. You can read my post to find out how you can achieve this.

Deploy Microsoft Project and Visio (Click-to-run)

05/02/202405/02/2024 by Remy Kuster

I got a request at work if I could create the deployment of the latest versions (Click-to-run) of Microsoft Visio and Project and set the Monthly update channel. The deployment of the applications should be made available in the Company Portal for users that are a member of the Entra ID synced Active Directory group to which the Visio and or Project Online plan licenses are assigned to.
We still run a 32 bits MS365 Apps on devices so got a mix of 32 bits and 64 bits MS 365 apps. The deployment should automatically detect the MS 365 apps architecture and then install the correct 32 or 64 bits version of Project and / or Visio. In this post I will show you how I did this. I will also provide all the sources and scripts you need to accomplish this.