Quick-start - LAPS
In this guide we will set up cloud LAPS so that you can protect your break-glass local and domain admin accounts with automated password rotation.
Sign up for idemeum MSP tenant
If you have not created your idemeum cloud tenant yet, please follow the steps below to create a trial tenant for your organization.
Enable cloud directory for your MSP tenant
To manage identities of your MSP technicians we will leverage idemeum local directory. To enable local directory:
- Navigate to
https://<your-msp-domain>.idemeum.com/adminportal
- Access
Users
→User source
and chooseLocal
Save
the configuration
Onboard other MSP technicians
You can now create accounts for other technicians, so that they can also be onboarded with mobile devices.
- Navigate to your MSP tenant admin portal at
https://<your-msp-domain>.idemeum.com/adminportal
- Access
Users
→User management
and clickAdd user
- Enter the following details to create a technician:
First name
andLast name
Corporate email address
Username
will be automatically generated. This username will be used to create unique admin account for each technician on the workstations that they access. You can change this username if you want.- Optionally specify
personal email address
Create a customer tenant that you will manage
Idemeum offers Multi-Tenant MSP Portal to manage all your customer tenants from a single dashboard. To create a tenant for your customer:
- Navigate to your MSP tenant admin portal at
https://your-domain.idemeum.com/adminportal
- Access
Customers
on the left and clickCreate customer
- Enter
Name
(will be used to create a subdomain for your MSP tenant, for examplecustomer-<your MSP domain>.idemeum.com
) andDisplay name
(will be used as a display name / title for your customer tenant)
Once the customer tenant is created, click on the name of the customer tenant, and you will be automatically logged in there. More about the MSP portal below.
Promote technicians to admins
For this set up we will promote technicians who need access to LAPS credentials to MSP tenant admins. To assign an Admin
role to a technician so that he can view LAPS credential, please follow these steps:
- Navigate to your MSP tenant admin portal at
https://<your-msp-domain>.idemeum.com/adminportal
- Access
Users
- Find the user record, click on
...
and then chooseMake admin
Configure customer tenant
Now access the customer tenant you created in the previous step. You can directly navigate to a customer tenant URL at customer-<your msp domain>.idemeum.com
or navigate to your MSP postal, Customers
section and click on the link from there.
Enable local directory for customer tenant
- Navigate to
Users
→User source
- Choose
Local
from the dropdown andSave
the configuration
Set up desktop client branding
You can configure the look and feel for the desktop client by configuring background, logo, and text for your users. You can follow the guide below.
Enable LAPS for the tenant
Follow the steps below to configure LAPS for customer tenant.
Install idemeum desktop application
If you want to also rotate domain admin account, install idemeum desktop client on domain controller.
There are various installation methods, but the easiest option is to leverage PowerShell installation.
- Navigate to your customer tenant admin dashboard
- Access
Settings
->Desktop installation
- Navigate to PowerShell section and copy the PowerShell command
- On the target workstation open PowerShell as
Administrator
You can now use this command to execute on the target workstation and perform the silent installation
View LAPS credentials
You can now view LAPS credentials for workstations.
Questions?
If you have any questions please join our Discord chat, and we will help.