Back to Blog
June 10, 2026

LAPS for Azure Arc: Securing Local Admin Passwords Across Hybrid Environments at Scale

Share

LAPS for Azure Arc: Securing Local Admin Passwords Across Hybrid Environments at Scale

Date: 2026-06-10

Stop local admin credentials from becoming the attacker’s pivot point. Discover how LAPS for Azure Arc enforces unique, rotated admin passwords seamlessly across hybrid and sovereign estates.

Tags: ["Azure", "Azure Arc", "Security", "Hybrid Cloud", "Windows Server"]

LAPS for Azure Arc: Securing Local Admin Passwords Across Hybrid Environments at Scale

Ask any seasoned security professional where the biggest unmanaged risk in their environment lives, and the answer consistently points to the local administrator account on Windows machines. These accounts often share the same password across many machines, rarely get rotated, and silently become the weak link attackers exploit for lateral movement.

Windows LAPS (Local Administrator Password Solution) has long provided a vital fix by generating unique, random local admin passwords per machine, storing them securely in Active Directory or Microsoft Entra ID, and rotating them regularly. But the challenge has always been how to extend this control consistently and at scale across hybrid estates that span on-premises, multiple clouds, and edge locations.

Enter LAPS for Azure Arc. This capability elevates local admin password management into the Azure control plane, providing centralized, auditable, and enforceable password policies for any Windows machine connected via Azure Arc — whether on-premises servers, Azure VMs, or machines at the edge. In this post, we'll explore how LAPS for Azure Arc works, its architecture, key technical insights, and how you can get started today.

Architecture Overview

┌────────────────────────────┐
│ On-Premises & Edge Machines│
├────────────────────────────┤
│  • Windows Servers         │
│  • Non-Azure VMs           │
│  • Edge Devices            │
└────────────────────────────┘
            ↓ Azure Arc Agent
┌────────────────────────────┐
│   Azure Arc Control Plane   │
├────────────────────────────┤
│  • Azure Policy Management │
│  • Machine Configuration   │
│  • Compliance Reporting    │
└────────────────────────────┘
            ↓
┌────────────────────────────┐
│    Identity & Directory     │
├────────────────────────────┤
│  • Microsoft Entra ID       │
│  • Active Directory         │
└────────────────────────────┘
            ↓
┌────────────────────────────┐
│    Security & Operations    │
├────────────────────────────┤
│  • Audit & Remediation      │
│  • Post-Authentication     │
│    Reset Actions           │
└────────────────────────────┘

This diagram shows how LAPS for Azure Arc integrates diverse Windows machines into a centralized Azure-based management and security infrastructure. The Azure Arc agent installed on each machine connects it to Azure Policy and Machine Configuration, which orchestrate and enforce local admin password policies uniformly. Passwords back up securely to Microsoft Entra ID or Active Directory, aligning with corporate identity controls.

Key Technical Observations

  • Centralized Declarative Configuration — Azure Policy defines the desired LAPS settings (password length, rotation interval, post-authentication actions) declaratively, replacing legacy per-machine or Group Policy configurations with a unified cloud-native control plane.

  • Hybrid & Multi-Cloud Scope — Unlike classic LAPS that requires AD or Intune management per domain or cloud, this approach extends seamlessly across Azure VMs, on-premises servers, and edge devices connected via Azure Arc, enabling one consistent policy regardless of machine location.

  • Audit-First Deployment Strategy — The solution supports an "audit-only" mode providing compliance reports without enforcing changes, making it safer for large brownfield environments. Operators can then promote policies to "audit-and-configure" mode, remediating non-compliant machines gradually and safely.

  • Secure by Default Following NIST & CIS Guidance — Default settings enforce strong security best practices including 15-character complex passwords, 30-day rotation, and password expiration protections. These defaults help organizations start secure out-of-the-box and tune policies as confidence grows.

  • Post-Authentication Actions for Enhanced Protection — Automated post-login remediation steps like resetting passwords, signing users out after 8 hours, or even rebooting machines elevate security by limiting attack windows after local admin usage.

  • Compatibility with Existing LAPS Deployments — Rather than replacing existing LAPS infrastructure, this solution wraps around Windows LAPS already present on machines, enabling gradual adoption without ripping and replacing current systems.

How It Works

Defining Policies via Azure Policy

The foundation is an Azure Policy definition targeting LAPS-related settings and scopes (subscriptions or resource groups). Admins declaratively define parameters such as password length, rotation cadence, backup directory (Microsoft Entra ID or Active Directory), and fallback behaviors.

{
  "properties": {
    "parameters": {
      "passwordComplexity": { "type": "string", "defaultValue": "complex" },
      "passwordLength": { "type": "int", "defaultValue": 15 },
      "rotationDays": { "type": "int", "defaultValue": 30 },
      "postAuthAction": { "type": "string", "defaultValue": "reset+signout" }
    }
  }
}

Machine Configuration and Compliance Scanning

Azure Arc's Machine Configuration evaluates each connected Windows machine against the policy. In audit-only mode, it reports compliance state without changing anything; in audit-and-configure mode, it remediates and applies missing or incorrect settings automatically.

Arc Agent Bridges Non-Azure Machines

For on-prem and edge machines not running in Azure natively, the Azure Arc agent acts as a secure conduit, enabling the same policy enforcement and telemetry mechanisms as Azure VMs.

Password Backup & Rotation

Most importantly, unique random passwords generated per endpoint back up securely either to Microsoft Entra ID or Active Directory, providing an auditable, recoverable password store that integrates with enterprise identity management.

Post-Authentication Reset and Sign-Out

When a local admin logs in and completes their task, LAPS can trigger an automatic password reset operation and sign the user out after a configurable interval (default 8 hours) to minimize the window of opportunity for attackers exploiting cached credentials.

Quick Tips & Tricks

  1. Start in Audit-Only Mode — For brownfield or existing fleets, begin by auditing compliance without applying changes. Review reports before enabling enforcement to avoid unintended disruptions.

  2. Accept Secure Defaults First — Default 15-character complex passwords with 30-day rotation align with recognized security benchmarks. Tune parameters cautiously once you confirm stable operations.

  3. Use Entra ID Backup for Hybrid Environments — When possible, back up passwords to Microsoft Entra ID to unify identity and access audit trails, especially for non-domain-joined machines.

  4. Avoid Overly Aggressive Post-Auth Actions Initially — Reboots or session terminations can impact user productivity. Start with just password reset actions and increase strictness as confidence grows.

  5. Scope Policies Thoughtfully Using Azure Management Groups and RBAC — Deploy policies incrementally targeting development, staging, and production rings to validate impact progressively.

  6. Monitor Compliance Reports Regularly — Utilize Azure Policy's built-in compliance dashboard to spot non-compliant machines and address configuration drift promptly.

Conclusion

LAPS for Azure Arc closes a critical security gap by enabling consistent, scalable, and auditable local admin password management across hybrid and sovereign cloud environments. By elevating classic Windows LAPS into the Azure control plane and extending policy enforcement beyond Azure to on-premises and edge machines, it empowers security teams with a unified approach that meets compliance demands and reduces lateral attack vectors.

This solution’s careful design—with audit-first deployment models, secure-by-default parameters following NIST and CIS guidelines, and seamless integration with existing identity infrastructure—makes it an attractive tool for organizations seeking robust endpoint security without disruption.

As hybrid estates and sovereign clouds continue to proliferate, centralized, cloud-native security controls like LAPS for Azure Arc will become indispensable foundations for zero trust environments. Exploring and adopting this technology today positions teams to stay ahead in securing their distributed infrastructure fabric.

References

  1. LAPS for Azure Arc: Local Admin Password Security Across Hybrid—at Scale - Thomas Maurer — Original article and in-depth interview with Amir Bredy from Azure Edge Security team

  2. Explore LAPS for Azure Arc (aka.ms/LAPS4ARC) — Microsoft’s public preview and policy resources for LAPS on Azure Arc

  3. Overview of LAPS with Azure Arc Machine Configuration — Official Microsoft documentation on LAPS architecture and setup

  4. Quickstart: Deploy LAPS with Azure Arc — Step-by-step guide to deploy and test LAPS policies in Azure Arc environments

  5. Azure Arc Documentation — Thomas Maurer’s Azure Arc resources and blog posts for extended learning

  6. Full Interview and Demo with Amir Bredy — Video walkthrough demonstrating LAPS for Azure Arc in action

LAPS for Azure Arc