LAPS for Entra ID
Secure emergency Entra ID global admin accounts for each Entra ID customer tenant
Overview
You can connect your customer Entra ID tenants to idemeum cloud portal. Idemeum will generate up to two break glass accounts for each customer tenant, will set random passwords, and store these accounts in idemeum zero-knowledge vault. All credentials are generated in the browser and are not visible to idemeum. Moreover, every time one of your technicians logs into the portal, idemeum will trigger password rotation from the browser side, therefore we do not even see these accounts credentials when passwords are rotated.
We follow Microsoft best practices for securing emergency accounts.
Manage emergency access admin accounts - Microsoft Entra ID
This article describes how to use emergency access accounts to help prevent being inadvertently locked out of your Microsoft Entra organization.
Configure LAPS for Entra ID
- Navigate to a customer tenant where you would like to set up LAPS for Entra ID
- Access
Applications→Add app→Managed password app - Provide a friendly application name
- For application type choose
Web application - For credentials type choose
Entra OIDC credentials - Authorize access with your existing onmicrosoft account
- For the domain name choose your
onmicrosoft domain - For group mappings choose
All adminsand specify the role for JIT accounts (i.e. Global administrator) - Add LAPS account and specify the account to create and rotate the passwords for. You can choose any account name.
Savethe configuration
View Entra ID LAPS credentials
💡
Cloud LAPS is protected with group-based access control. So in order to view these credentials, you have to have access. By default all tenant admins are entitled to view LAPS credentials, however you can change that in the PAM settings.
- Navigate to customer tenant and access user portal
- Find the Entra ID application and click on
... - Choose
View LAPS credentials
