How to Audit for LAPS Grab in Azure AD (typically used with Intune)
LAPS offers an effective method to limit local administrative privileges by generating a unique password for each Windows computer in your enterprise. However, for enhanced security and compliance, it's advisable to monitor who is accessing the passwords for specific machines. For Azure-joined devices go to your Azure portal and navigate to Devices > Audit Logs and then search for “Recover device local administrator password” as shown in the example below.
You can then click on the event to view more information as shown here.
This system effectively restricts access to clear-text passwords, ensuring only individuals with specific administrative roles, like Global Administrators, Cloud Device Administrators, and Intune Administrators, can access them.