Skip to content
/ LAPSFieldTool_v2 Public

Android app utilizing Microsoft Graph API to get LAPS passwords stored in Entra ID (formerly Azure AD)

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

NathanJepson/LAPSFieldTool_v2

BranchesTags

Repository files navigation

LAPSFieldTool_v2

This is an Android app utilizing the Microsoft Graph API to retrieve LAPS (Local Administrator Password Solution) passwords stored in Entra ID.

VirusTotal link: https://www.virustotal.com/gui/file/2d7d2b61be063ea9cd6c9675588781bbeb8048be4789eaa0bee5ce1393a3f549/details

Prerequisites: Phone running Android 15 (I'm sorry.)

  1. You will need to set up an app in Entra ID and give it these 2 permissions:

    Device.Read.All

    DeviceLocalCredential.Read.All

  2. Then, you will need to take note of the "client ID" and the "tenant ID" which should be accessible on the app info page accessible via the ApplicationMenuBlade in Entra ID.

  3. Then, you will need to add a "client secret" to the app, under the link next to "client credentials" (also accessible on the app info page.) Note that certificate login is not supported.

How it works: You will supply the tenant ID, client ID of your Entra ID app, and the client secret in the login form. From the dropdown, you will select "ServerAd" for a hybrid Azure / AD environment, or "AzureAd" for a cloud-only environment. After you press the login button, the app will log in to MicrosoftOnline.com (i.e., getting a bearer token from that API endpoint.) Upon a successful first login, the device should remember your client ID and tenant ID. It will automatically retrieve a list of devices from Entra ID using the Microsoft Graph API (it's a new API request every 100 devices, and follows the @odata.nextLink automatically.) You will be able to filter the device list by device name using the search bar.

Once you click a device, the app will query the Microsoft Graph API to get the list of LAPS passwords for that specific device (with their last backup date.) (The API gives passwords in base 64, the app will decode these for you.) Note: It should also redirect you to the login activity again after the bearer token expires (which is usually 1 hour or 3600 seconds.)

Screenshot of the Login Activiy, specifying a login field for tenant ID, client ID, then client secret. It has a dropdown that has currently selected "ServerAd" for a hybrid environment Screenshot of the Main Activiy, showing a list of click-able devices, and "Desktop" being typed in the search field, and two devices showing "Desktop-J" and "Desktop-T" Screenshot of the Computer Activity, showing the PC name at the top, followed by timestamps for "Last Backup" and "Next Refresh", followed by 3 dark blue boxes showing LAPS password entries, with fields for "Account" (Administrator in this case), "SID", "Backup Date" (a timestamp), "Base64 password", and "Password" (which is shown in green).

Disclosure: Big, big, thanks to Claude 3.7, who helped make this project a 3-day project instead of like a 2-week project. Some of the files were almost entirely generated by Claude, such as the "APIServiceClasses.kt" and "ComputerActivity.kt" and "item_credential.xml".

About

Android app utilizing Microsoft Graph API to get LAPS passwords stored in Entra ID (formerly Azure AD)

Topics

azure sysadmin android-application android-studio android-app microsoft-graph-api laps-password sysadmin-tool laps entra local-administration entra-id microsoft-entra-id

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

LAPSFieldTool Latest
Mar 1, 2025

Packages

No packages published

Languages