Event details
Community ManagerJaySimmons is "in the office" this morning. Bring on the Windows LAPS questions!
Can LAPS rotate the password immediately after it has been used (like a one-time use)? I believe we currently have it set to change after 3 hours, which iirc was as tight as we could make it. But it doesn't feel good that the user has admin creds for longer than they realize. It's really just a hope that they don't try it on more stuff. (Note: this is my memory from when my team discussed it, I didn't configure it).
- JaySimmons
Microsoft
Hi Vaughn, We have no plans to support such a LAPS feature at this time, but thanks for the idea. Just talking off-the-cuff, I would question the value-add of such a mechanism - for example, it would not be suitable if the task being performed required a reboot, etc. IMO, the PAA feature covers the majority of the use-case scenarios with reasonable security.
- When will Azure LAPS tighten up from 7 days to 1 day to match on-prem? Is that planned?
- JaySimmons
There are no plans to change that constraint for Azure LAPS. The basic underlying reason is to prevent excessive overload on the Azure infrastructure for what is essentially a free feature. I do not think there would be any meaningful security improvement in moving from a 7 day rotation period to a 1 day period. Especially since with the new Post-authentication-actions feature, you can now do automatic rotation after the account is used to login to the device.
