Skip to main content

SYNOPSIS

Retrieves the LAPS password for a Microsoft Entra ID device.

SYNTAX

Default (Default)

Get-MgLAPSPassword [-DeviceName <String>] [-DeviceID <String>] [-ShowPassword] [-IncludeHistory]
 [-RunFromAzureAutomation] [-ProgressAction <ActionPreference>] [<CommonParameters>]

KeyVault

Get-MgLAPSPassword [-DeviceName <String>] [-DeviceID <String>] [-ShowPassword] [-IncludeHistory]
 [-RunFromAzureAutomation] [-BackupToKeyVault] -KeyVaultName <String> [-ProgressAction <ActionPreference>]
 [<CommonParameters>]

DESCRIPTION

Gets the Windows Local Administrator Password Solution (LAPS) password for one or all devices in Microsoft Entra ID (formerly Azure AD). By default, only metadata is returned (no password). Use -ShowPassword to retrieve the password in plain text. Passwords can optionally be backed up to an Azure Key Vault.

EXAMPLES

EXAMPLE 1

Get-MgLAPSPassword
Retrieves metadata (no password) for all devices with LAPS configured.

EXAMPLE 2

Get-MgLAPSPassword -DeviceName "DESKTOP-ABC123"
Retrieves metadata (no password) for the device with the specified display name.

EXAMPLE 3

Get-MgLAPSPassword -DeviceID "12345678-1234-1234-1234-123456789012"
Retrieves metadata (no password) for the specified device.

EXAMPLE 4

Get-MgLAPSPassword -ShowPassword
Retrieves the current LAPS password in plain text for all devices.

EXAMPLE 5

Get-MgLAPSPassword -DeviceID "12345678-1234-1234-1234-123456789012" -ShowPassword
Retrieves the current LAPS password in plain text for the specified device.

EXAMPLE 6

Get-MgLAPSPassword -DeviceID "12345678-1234-1234-1234-123456789012" -ShowPassword -IncludeHistory
Retrieves the current and historical LAPS passwords for the specified device. The IsCurrent property indicates which entry is the active password.

EXAMPLE 7

Get-MgLAPSPassword -BackupToKeyVault -KeyVaultName "MyLAPSVault"
Backs up LAPS passwords for all devices to Azure Key Vault.

EXAMPLE 8

Get-MgLAPSPassword -DeviceID "12345678-1234-1234-1234-123456789012" -BackupToKeyVault -KeyVaultName "MyLAPSVault"
Backs up the LAPS password for the specified device to Azure Key Vault.

EXAMPLE 9

Get-MgLAPSPassword -RunFromAzureAutomation -BackupToKeyVault -KeyVaultName "MyLAPSVault"
Backs up LAPS passwords for all devices using managed identity authentication. Suitable for Azure Automation runbooks.

PARAMETERS

-DeviceName

Filter results to a specific device by its display name. Cannot be used together with DeviceID parameter. 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DeviceID

Filter results to a specific device by its Entra ID (Azure AD) object ID. If not specified, retrieves LAPS passwords for all devices. Cannot be used together with DeviceName parameter. 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ShowPassword

Retrieve and display the LAPS password in plain text. By default, only metadata (expiration time, etc.) is returned. Use with caution, as this will expose the password in the console output. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-IncludeHistory

Include previous LAPS passwords in the output, in addition to the current one. Only applicable when -ShowPassword or -BackupToKeyVault is specified. Has no effect otherwise. The output includes an IsCurrent property to identify the active password. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-RunFromAzureAutomation

Use managed identity authentication instead of interactive authentication. Suitable for Azure Automation runbooks, Azure Functions, or VMs with managed identity enabled. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-BackupToKeyVault

Enable backup of LAPS passwords to Azure Key Vault. Must be used together with -KeyVaultName. The secret name is the device name; the Content Type field contains the account name and backup date. 
Type: SwitchParameter
Parameter Sets: KeyVault
Aliases:

Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-KeyVaultName

Name of the Azure Key Vault to back up LAPS passwords to. Mandatory when -BackupToKeyVault is specified. Requires the Az.KeyVault module and appropriate permissions. 
Type: String
Parameter Sets: KeyVault
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

Requires the DeviceLocalCredential.Read.All and Device.Read.All permissions in Microsoft Entra ID. https://ps365.clidsys.com/docs/commands/Get-MgLAPSPassword