Is there any way to create a local admin account in windows server machines with password stored in Azure key vault and should update when rotated

Question

I am trying to create local admin account for my lab machines with unique passwords. I have around 25 machines in the lab. I am looking out if there is any way where we can store the password in Azure keyvault and if password is rotated in azure key vault, the authentication should pick up the updated password and authorize the user. I have to rotate password too often, usually once in couple of days. The end user would receive the password with which he can login.

Answer 1

This is a too complex task to put it into a simple answer. You have to divide your problem into some smaller ones. Here here the building blocks I would see:

• Create an authenticated web api that allows CRUD operations against your Azure Key vault (maybe with ASP core or Azure functions, etc.)
• Create a windows service that runs on your lab machines and is able to change the local admin accounts password and can communicate with your web api.
• Create an authenticated web page, where you can log in and read the username and password.

All of these steps have to be divided on their own and or not trivial. Also some additional features could make sense like

• when a username/password was given out some log is written about who got when this username/password.
• when a username/password was given out the windows service will be informed (maybe by regular requests from the windows service or some back channel like SignalR or Redis channel) and produces a new password a given time later (e.g. 8 hours later)

Nevertheless, this is a complex project that needs at least several weeks to be implemented correctly, even if you know how all these techniques are working.