LAPS access control

Overview

With idemeum cloud LAPS you can control who can access and view break-glass credentials for computers and Entra ID.

• By default All admins are entitled to view LAPS credentials for each customer tenant
  • You can be a Global admin in MSP tenant and you will see LAPS credentials everywhere, or you can have delegated admin access to certain customer tenants. Learn more about admin delegation below.

Delegate access to tenants

Delegate technician admin access to customer tenants

idemeum docsNik Pot

• For each customer tenant you can control what groups of users have access to LAPS credentials. For instance, you can generate an MSP group Level 1 techs and use that group to enforce LAPS access control. This way only technicians belonging to this group will be able to view LAPS credentials.
• LAPS access control applies both to computer accounts and Entra ID accounts

Configure LAPS access control

As a first step create a group in your MSP tenant, make sure it gets propagated to your customer tenants, and assign your technicians to this group. You can use direct user assignment or attribute group mapping. Follow the guide below to see how you can create groups.

Group management

Combine users into groups with direct assignments or attribute mapping

idemeum docsNik Pot

Now we will choose a customer tenant and enforce LAPS access to only this configured group.

• Navigate to your customer tenant admin portal
• Access Settings → PAM and scroll down to LAPS access control

• Click on the ⚙️ icon to configure groups. Select the groups that will have access to LAPS. You can remove All admins group and assign the groups you want.

Now technicians who belong to this group will be able to view LAPS credentials. Check computer and Entra ID guides for how to view LAPS credentials.