Why I Built LAPSr

The Problem

It was a Tuesday afternoon, and I was on-site at a client when a workstation locked up mid-session. The local admin password had rotated via LAPS. Standard situation. Except I'd left my laptop in the car, and all I had was my phone.

What followed was a four-step ordeal: open the VPN app, authenticate, navigate to the Intune admin center in a mobile browser (which is painful), find the device, click three times to surface the LAPS password, copy it, switch back to the remote session tool, paste it.

Four steps. On a phone. While standing in front of a user who was watching.

The Build

LAPSr started as a weekend project. I wanted two things: authenticate once with my Microsoft account, and get the LAPS password in two taps.

The authentication is handled by MSAL (Microsoft Authentication Library). The app requests the minimum permissions needed — DeviceManagementManagedDevices.Read.All — and nothing more.

The device list is cached locally so you can browse offline and search without a network call on every keystroke. Password retrieval always hits the Graph API live, since you don't want a stale password.

What I Learned

Building for the Microsoft ecosystem is both easier and harder than I expected. The Graph API is genuinely good once you get past the documentation. MSAL handles the OAuth dance cleanly. The hard part was the Intune device schema — it's inconsistent across device types in ways that took a while to smooth over.

The other thing I learned: IT admins are a loyal user base when you solve a real problem. The first beta had 40 testers within 48 hours, sourced entirely from a Reddit post in r/sysadmin.

What's Next

LAPS v2 (Windows LAPS) support is coming. The schema is different from legacy LAPS and requires a different Graph endpoint. I'm also looking at adding a quick-copy widget for iOS so you can get the password without even opening the app.

If you manage Microsoft environments and want to try it, reach out.