Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
7Dashboards
164Benchmarks
44Queries
2Variables
GitHub

Control: 5.1.4.5 Ensure Local Administrator Password Solution is enabled

Description

Local Administrator Password Solution (LAPS) is the management of local account passwords on Windows devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Microsoft Entra and Microsoft Entra hybrid join devices.

The recommended state is Yes.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Entra ID > Devices select Device settings.
  3. Set Enable Microsoft Entra Local Administrator Password Solution (LAPS) to Yes.

Default Value

No.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_5 --share

SQL

This control uses a named query:

select
  tenant_id || '/' || id as resource,
  case
    when (local_admin_password ->> 'isEnabled')::bool = true then 'ok'
    else 'alarm'
  end as status,
  case
    when (local_admin_password ->> 'isEnabled')::bool = true then tenant_id || ' has Local Administrator Password Solution (LAPS) enabled.'
    else tenant_id || ' has Local Administrator Password Solution (LAPS) disabled.'
  end as reason
  , tenant_id as tenant_id
from
  azuread_device_registration_policy;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.4.5
cis_level = 1
cis_section_id = 5.1.4
cis_type = automated
cis_version = v6.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory