Serverless LAPS with Intune, Function App and Key Vault

Serverless LAPS with Intune, Function App and Key Vault

This article will describe how setup Serverless LAPS with Intune, Function App and Key Vault.

Situation:

  • Full cloud device management (Azure AD Joined devices, Intune managed)
  • No LAPS solution, because of no on-premise Active Directory

Microsoft Local Administrator Password Solution (LAPS) is a password manager that utilises Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints. LAPS is a great mitigation tool against lateral movement and privilege escalation, by forcing all local Administrator accounts to have unique, complex passwords, so an attacker compromising one local Administrator account can’t move laterally to other endpoints and accounts that may share that same password. A benefit, compared to other password managers, is that LAPS does not require additional computers, or application servers, to manage these passwords. The management of these passwords is done entirely through Active Directory components.

Target:

  • Deploying LAPS, serverless, without an on-premise Active Directory.

I’ve stumbled across this blog post: https://www.srdn.io/2018/09/serverless-laps-powered-by-microsoft-intune-azure-functions-and-azure-key-vault/ but it’s a bit outdated with all the Azure changes in the last year, so I decided to update it. Credits to John Seerden for the PowerShell scripts though.  

 

1. Deploy an Azure Function App & configure it

In the Azure Portal, navigate to Function Apps and click on ‘Add’ to create a new Function App. Choose a Subscription and a Resource Group (or create a new one), give your Function App a name and as Runtime stack choose ‘PowerShell Core (Preview)’. Click on ‘Next’.  

Choose or create a new storage account, leave the Operating System setting on ‘Windows’. And choose a plan type. In my scenario I choose for Consumption. Click on ‘Next’.  

Choose if you want to enable Application Insights (not necessary) and click on ‘Review + Create’  After the validation, click on ‘Create’ to deploy the Function App.

Navigate to the function App, and click on ‘Platform features’.  

Click on ‘Identity’.  

In ‘System Assigned’ switch the status to ‘On’. Click on ‘Save’.

A system assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. We’ll grant this managed identity access to our Key Vault later on.  

Our Function App also requires a minimum TLS version of 1.2, so go back to the ‘Platform Features’ and click on ‘SSL’.  

Set HTTPS Only to ‘On’ and select Minimum TLS Version of ‘1.2’. Click on ‘Refresh’.   

 

2. Deploy an Azure Key Vault and grant our Managed Service Identity access

In the Azure Portal, navigate to Key Vaults and click on ‘Add’ to create a new Key Vault. Choose a Subscription and a Resource Group (or create a new one), give your Key Vault a name and leave the pricing tier on ‘Standard’. Click on ‘Next’.

Click on ‘Add Access Policy’.  

Select ‘Set’ in secret permissions. Afterwards click on ‘Select principal’.

Here we will choose our newly made Funtion App (which we gave a system assigned managed identity).  Select the principal & click on ‘Add’.

You’ll see this screen next when it’s done right:  

Click on ‘Review + Create’ and after validation click on ‘Create’.  

 

3. Create and test the Azure Function

Go back to your Function App. Select the Function and click on ‘New Function’.  

Choose ‘HTTP Trigger’.  

Give it the name ‘Set-KeyVaultSecret’. Authorisation level is ‘Function’. Click on ‘Create’.  

Once deployed, click on your ‘Set-KeyVaultSecret’ function and delete all the code. You’ll function will be blank now:

Download Set-KeyVaultSecret.ps1 from https://github.com/jseerden/SLAPS and insert the code in your Function App. Edit the $keyVaultName variable with the name of your Key Vault. Click on ‘Save’.

Now you can test the function by clicking on ‘Test’. Add the following code in the ‘Request body’ field. Click on ‘Run’.

{
    “keyName”: “TEST-PC01”,
    “contentType”: “Local Administrator Credentials”,
    “tags”: {
        “Username”: “localadmin”
    }
}
 
Be aware, if you copy paste from my site you have to replace the ” with new ones inside the Function App, otherwise you’ll get errors. 
Navigate to your Key vault and check if the local admin credentials are stored there. Click on TEST-PC01.
Click on the current version of TEST-PC01
Click on ‘Show secret value’, your local admin password is stored there:
 
 

4. Deploy the PowerShell script with Intune

First we need the Function App URL. Navigate to your SetKeyVaultSecret Function App. Click on ‘Get Function URL’.

Click on ‘Copy’.

Download New-LocalAdmin.ps1 from https://github.com/jseerden/SLAPS and edit the following variables:

$uri = ‘PASTE URL HERE’

Save the .ps1 file.

Navigate to the Intune dashboard (https://devicemanagement.microsoft.com/). Go to Devices – PowerShell scripts. Click on ‘Add’ to upload our New-LocalAdmin.ps1 script.

Name your script and click on ‘Next’.

Choose your modified .ps1 script and leave the 3 settings on ‘No’.

Deploy it to your testgroup. And follow up. You should see that the script got deployed successfully to your target device.

And if you check again in your Azure Key Vault, the local admin password of your device should be there too:

 

Happy testing! 

 


More articles on Intune: