Local Admin Password Management
Last updated
Last updated
Local Administrator Password Solution (LAPS) will solve the issue of using identical administrative credentials on every Windows computer for support and emergency purposes. On its own, LAPS creates a randomly generated password for a local admin account.
With RealmJoin it is possible to manage secure and individualized administrative accounts, either for local support or remote support on a large scale. RealmJoin saves encrypted passwords in Azure Key Vault within the customer's tenant and stores audit logs of every access to these credentials.
RealmJoin's API allows you to request a "Support Account" (local admin) for a given device in your tenant. See RealmJoin's Swagger description to see which operations are currently supported in detail. Using LAPS with RealmJoin requires the deployment of the RealmJoin Windows Client.
It is assumed you have correctly set up LAPS in your environment and deployed the RealmJoin Windows Client on your devices. Also, make sure to authenticate every request against RealmJoin's API using an appropriate http Authorization header.
Tell RealmJoin to create a local Support Account on the target device using the endpoint /api/external/LocalAdmin/RequestSupportAccount. The request is queued using Application insights and will be processed RealmJoin Backend and RealmJoin Windows Client as soon as possible. When the account is created/usable.
The endpoint will return an estimate how long the account create will take. When the account is ready, see here on how to query for the credentials.
Let us assume the following situation:
You have your RealmJoin API credentials and encoded them to dC0xMjM0MTIzNDpteVMzY3JldCE= (Base64)
The target device's Entra deviceId is 9999dab9-f946-40ee-9a17-2500c8d00878. Be aware this is not the Entra object id (different attribute)!
Currently no Support Account exists on the target device.
Let us build the request:
Headers:
Request / URI:
This endpoint does not expect a request body.
Response
Http Status: 200 (OK)
Body (in JSON-Notation):
The response contains the approximate time until the RealmJoin Windows Client will create the local Support Account. In this example expect to wait at least 12 minutes. If the client has not been seen for a long time, you might get null as estimate instead of a number.
The RealmJoin Windows Client will poll for jobs every 30 min by default. The approximation offered by the API is based on the last time the Windows Client checked in.
The endpoint /api/external/LocalAdmin/RetrieveSupportAccountPassword is used to query if a Support Account has already been created as well as to collect the actual credentials of the Support Account.
Let us query the same deviceId of 9999dab9-f946-40ee-9a17-2500c8d00878 as in the example above.
In our example a Support Account (Full Name: "Local Support Admin Account") has been created on the target device by the RealmJoin Windows Client:
Request
Headers:
Request / URI:
This endpoint does not expect a request body.
Response
If the credentials are not available yet, the endpoint will return Http Status: 404 (Not Found) and some technical details in the body:
Body (JSON)
You can keep querying until the credentials are ready.
If the credentials are ready, the endpoint will return Http Status: 200 (OK) and the credentials:
Body (JSON)
You can use these credentials to offer support to a user, e.g. by connecting via the AnyDesk Supporter Client.
As you can see, by default a Support Account has a limited lifetime and will have to be recreated if access is needed after the expiration date. This is to make sure, that no high privilege credentials persist from day to day operations task.
