ESC
Type to search...
Navigate Open ESC Close

DeviceLocalCredential.Read.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read All Resources

Allows the app to read device local credential properties including passwords, without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read device local credential passwords

Allows the app to read device local credential properties including passwords, without a signed-in user.

Permission ID: 884b599e-4d48-43a5-ba94-15c414d00588
Delegated Permission Admin consent required

Read device local credential passwords

Allows the app to read device local credential properties including passwords, on behalf of the signed-in user.

User sees: Allows the app to read device local credential properties including passwords, on your behalf.
Permission ID: 280b3b69-0437-44b1-bc20-3b2fca1ee3e9

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
accountName String The name of the local admin account for which LAPS is enabled.
accountSid String The SID of the local admin account for which LAPS is enabled.
backupDateTime DateTimeOffset When the local administrator account credential for the device object was backed up to Azure Active Directory.
passwordBase64 String The password for the local administrator account that is backed up to Azure Active Directory and returned as a Base64 encoded value.
id string The unique identifier for an entity. Read-only.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.deviceLocalCredential",
  "accountName": "String",
  "accountSid": "String",
  "backupDateTime": "DateTimeOffset",
  "passwordBase64": "String"
}

Relationships

Relationships metadata is not available for this permission mapping.

View resource documentation

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /directory/deviceLocalCredentials
GET /directory/deviceLocalCredentials/{deviceId}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /directory/deviceLocalCredentials
GET /directory/deviceLocalCredentials/{deviceId}
No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs
No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Code Examples

C# / .NET SDK 
using Azure.Identity;
using Microsoft.Graph;

var scopes = new[] { "DeviceLocalCredential.Read.All" };
var credential = new InteractiveBrowserCredential(
    new InteractiveBrowserCredentialOptions
    {
        ClientId = "YOUR_CLIENT_ID",
        TenantId = "YOUR_TENANT_ID",
        RedirectUri = new Uri("http://localhost")
    });

var graphClient = new GraphServiceClient(credential, scopes);
var response = await graphClient
    .WithUrl("https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials")
    .GetAsync();
JavaScript 
import { Client } from "@microsoft/microsoft-graph-client";
import { InteractiveBrowserCredential } from "@azure/identity";

const credential = new InteractiveBrowserCredential({
  clientId: "YOUR_CLIENT_ID",
  tenantId: "YOUR_TENANT_ID",
  redirectUri: "http://localhost"
});

const token = await credential.getToken(["DeviceLocalCredential.Read.All"]);
const client = Client.init({
  authProvider: (done) => done(null, token.token)
});

const response = await client.api("/directory/deviceLocalCredentials").get();
PowerShell 
Connect-MgGraph -Scopes "DeviceLocalCredential.Read.All"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"
Python 
from azure.identity import InteractiveBrowserCredential
import requests

credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)

token = credential.get_token("DeviceLocalCredential.Read.All")
response = requests.get(
    "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials",
    headers={"Authorization": f"Bearer {token.token}"}
)

print(response.json())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for DeviceLocalCredential.Read.All

4

Grant Admin Consent

Application permissions always require admin consent.