Cloud LAPS

Overview

Cloud LAPS secures the following accounts:

• LAPS for computers - idemeum agent will automatically generate local admin or domain admin account on each of your workstations, will upload credentials to zero-knowledge cloud, and will perform automatic password rotation every 24 hours. At any given point in time you can access any machine with secure break-glass admin account.
• LAPS for Entra ID - idemeum follows Microsoft best-practices and allows to generate up to 2 emergency accounts for each of your Entra ID tenants. These emergency credentials are stored in idemeum zero-knowledge cloud and secured with automatic password rotation.

Security

Idemeum does not see your credentials. Everything is encrypted on the client side (desktop encryption for computer LAPS and browser encryption for Entra ID LAPS), and even if our cloud is compromised, your emergency credentials will not be exposed. More about our security below.

Security whitepaper

How idemeum zero-knowledge security works.

idemeum docsNik Pot

LAPS for computers

Configure

• Access the admin portal of organization / customer where you want to configure LAPS for computers
• Access Settings → JIT access
• Enable LAPS for computers and provide the account name to use. Idemeum can use any account name you like or take over the existing one
  • One configuration is to create local admin account on all types of computers but domain controllers
  • Another configuration is to create domain admin account on domain computers
• Optionally you can specify what groups of admins will be able to see LAPS credentials

View credentials

• Navigate to the user portal of customer / organization where you need to view LAPS credentials
• Search for the device, click on ... and then choose View LAPS credentials

LAPS for Entra ID

Configure

First of all you need to connect your Entra ID tenant to idemeum. We have documented the steps to connect Entra ID tenant here:

Configuration

How to configure JIT admin access for your customer / organization tenant.

idemeum docsNik Pot

When you are connecting Entra ID tenant, you will see the option to enable LAPS for your tenant and you can specify up to two accounts to create and rotate passwords for.

View credentials

• Navigate to the user portal of customer / organization where you need to view LAPS credentials
• Search for the Entra ID application that you created, click on ... and then choose View LAPS credentials

LAPS access control

By default All admins who have access to customer / organization have access to LAPS credentials. You can configure only specific groups of users to be able to view LAPS credentials.

• Make sure you create groups in your parent organization tenant and then assign users to these groups
• Make sure you delegate access with read-only role so that user can not edit customer / organization tenant settings
• Navigate to Settings → JIT access and the LAPS access control section
• Remove All admins and add the groups that need to have access

LAPS credentials on mobile

LAPS credentials can be viewed in idemeum cloud portal and mobile application. Even if you mobile phone is on offline mode, you can still view LAPS credentials in the idemeum app. However, if the credentials were successfully rotated by the desktop application when the mobile phone was offline, you will not be able to view the last username/password as the older credentials will be shown.

To view LAPS on mobile:

• Open your idemeum mobile application, navigate to any organization / customer tenant, choose a desktop or Entra ID application, click on ... and you will be able to view LAPS credentials.