Nessus now has Entra LAPS Support Summary: Nessus now has...
Nessus now has Entra LAPS Support Summary: Nessus now has the ability to leverage accounts managed by Microsoft Entra LAPS. How LAPS works: Since LAPS managed accounts have their passwords rotated routinely, users cannot just directly provide the credentials in their Scan Policy. Before this change, users would instead have to make an additional privileged account on each LAPS enabled Host to provide to Nessus. Now that Nessus can communicate with an Entra LAPS setup, customers no longer need to have or provide those extra privileged accounts. This means less exposure and less redundancy in a customer’s environment. Change: With this LAPS support change, during the startup phase of a scan, Nessus will reach out to a Microsoft Entra Tenant and pull a list of all Local Admin Accounts managed by LAPS. Nessus will then attempt to use these Entra provided LAPS managed accounts as credentials when attempting to access a target host. The LAPS credentials found are not stored or kept in the scanner configuration any way and only exist in memory at runtime. Each time a Scan is initiated with LAPS support enabled, it will do a fresh pull of credentials. How to enable it: To make use of Nessus’ Entra LAPS support, customers need a Registered App in their Entra Tenant with the DeviceLocalCredential.Read.All permission. These Registered App permissions are what allows an App to access the LAPS managed accounts. Customers with an existing Registered App can configure them for use in Nessus by simply granting the Registered App the DeviceLocalCredential.Read.All permission, allowing Nessus to access LAPS data. Customers without a Registered App will need to create a new one, and provide it as a [Cloud Services Microsoft Azure/Entra Credential] in your Scan Policy. For additional information see: https://docs.tenable.com/identity-exposure/3_x/Content/Admin/entra_id_support.htm#Configure-Microsoft-Entra-ID-settings and https://docs.tenable.com/vulnerability-management/Content/Settings/Credentials/CreateManagedCredential.htm Impact: Customers using Rotating Host passwords managed through Microsoft Entra LAPS can now leverage these credentials in their Nessus scans for more secure scanning configurations. Target Release Date: Immediate
