Local Administrator Password Not Displaying in Intune/Entra for Hybrid Azure AD–Joined Devices

Hello Gokulraj,

Since this is a Hybrid Azure AD–joined device, first check the Windows LAPS policy to confirm where the local administrator password is being backed up (Active Directory vs Microsoft Entra ID), as portal visibility depends on the backup location.

References related to LAPS is already shared in the previous response.

Hope this helps!

If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

For hybrid Microsoft Entra joined devices, the local administrator password is only visible in Intune/Entra when all of the following are true:

1. Windows LAPS is enabled in Microsoft Entra ID
   • In the Microsoft Entra admin center, go to Entra ID > Devices > Overview > Device settings and ensure Enable Local Administrator Password Solution (LAPS) is set to Yes.
   • This is required for Microsoft Entra join and Microsoft Entra hybrid join scenarios when backing up to Entra ID.
2. The device’s LAPS policy is configured to back up to Microsoft Entra ID (Cloud)
   • Intune Windows LAPS policy must be set so that the backup directory is Cloud / Microsoft Entra ID, not on-premises Active Directory.
   • If the device is configured to back up the local admin password to on-premises Active Directory, Intune/Entra will not show the password. Only metadata in AD is available in that case.
3. The viewing account has the correct Entra permissions
   To see the Local admin password value in Intune/Entra, the account must have:
   • microsoft.directory/deviceLocalCredentials/password/read, and
   • microsoft.directory/deviceLocalCredentials/standard/read.
   This can be granted by:
   • Assigning a built-in role such as Cloud Device Administrator or Intune Service Administrator, which already includes these actions, or
   • Creating and assigning a custom role with those permissions.
4. Understand visibility limitations for hybrid devices
   • In Intune, the Local admin password field is only populated when the account password is backed up to Microsoft Entra ID.
   • For devices that are configured to use Active Directory as the backup directory, Intune explicitly does not show the password; only rotation metadata is visible.

Given a hybrid Azure AD–joined device:

• If the password is not showing in Intune/Entra, the most common causes are:
  • LAPS is backing up to on-premises AD instead of Entra ID, or
  • LAPS is not enabled in Entra ID, or
  • The viewing account lacks the required deviceLocalCredentials read permissions.

To resolve:

1. Verify LAPS is enabled in Entra ID (Device settings → Enable LAPS = Yes).
2. Check the Intune Windows LAPS policy for the hybrid devices and confirm the backup directory is Cloud / Microsoft Entra ID if portal visibility is required.
3. Ensure the admin account is assigned a role with microsoft.directory/deviceLocalCredentials/password/read and standard/read.
4. After policy changes, allow the device to check in and rotate the password; then re-check the Local admin password blade in Intune or Entra.

References:

• Windows Local Administrator Password Solution in Microsoft Entra ID
• Microsoft Intune support for Windows LAPS
• Deploy Windows LAPS policy with Microsoft Intune
• Set up Microsoft Entra ID