HELP FILE

Add and Manage LastPass Admin Policies

LastPass Business accounts offer a number of configurable and recommended policies around security levels and password strength that you can add, edit, or delete as an admin. Each policy can be applied to all users, or an inclusive or exclusive list of users. With over 100 policies available for you to add and configure, you can achieve the most optimal security performance with LastPass. All policies for LastPass Business accounts have been categorized and displayed on separate tabs, and are also searchable in the Admin Console under Settings > Policies.

Note: Are you seeing something different? Please see any of the following:

Full policy list

You can view all available policies for LastPass Business on the LastPass Policy page at https://lastpass.com/policy_doc.php. Please note that you must be actively logged in with a LastPass Business account in order to view the full list of policies available.

Note:  LastPass Business policies are separate from those available in the LastPass SSO and/or MFA Admin Console – please see Policy Management for more information.

Policy categories

These policy categories include:

  • Overview – These policies are currently configured and enforced for your account by a company administrator, and includes both enabled and default policies
  • Default – These policies are enabled by default for all users (but can be disabled or configured otherwise)
  • Recommended – These policies are disabled by default but are recommended by LastPass to enable and configure to best suit the business needs of your organization
  • Access Controls – These policies manage users' access to LastPass
  • Password Rules – These policies manage requirements for site passwords and when users create or use their master password
  • Account Restrictions – These policies enforce account restrictions for users
  • Administration – These policies manage general administration, including notifications and reporting for admins, limitations on user access for the Admin Console, and restrictions on upgrade prompts & PasswordPing checks
  • Multifactor – These policies manage all settings, restrictions, and requirements for Multifactor Authentication for users
  • Other – These are all other policies that do not fall under the previous categories

Please note that you must be actively logged in with a LastPass Business account in order to view the full list of policies available.

Note:  LastPass Business policies are separate from those available in the LastPass SSO and/or MFA Admin Console – please see Policy Management for more information.

Configure and enable a new policy

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to Settings > Policies in the left navigation.
  3. Navigate to your desired policy in either of the following ways:
    • Use the Search field to enter keywords for the name of your desired policy, then click on the category tab that matches your search
      Note: The number next to the category tab(s) indicate the amount of policies that match your search criteria for each category.
    • Click on the category tab to locate your desired policy
  4. Toggle on the switch for your desired policy, then click Edit details.
  5. When applicable, enter data into the "Value" field based on the data type outlined in the description (e.g., IP Address, domain name, email address, country abbreviation, etc.).
  6. For the "Applies to" section, choose one of the following options:
    • All – Select this option to apply to all users on your account.
    • Inclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should be enforced.
    • Exclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should not apply.
  7. Optional: If desired, you can add Notes about the policy you are configuring.
  8. If applicable, select Enabled or Disabled to choose whether or not to enforce the policy immediately. If disabled, the policy will be added but not yet enforced, and can be enabled later.
  9. If applicable, click Add new policy values if you want to create additional configurations with different values that are based on specific Inclusive or Exclusive user lists.

    Example: For example, you can configure a policy that prohibits all users from exporting LastPass data except for those users who are admins.

  10. Click Save Changes.

What to do next: If you configured a policy as Disabled and are now ready to enable it, you will need to locate the policy and toggle on the switch to enforce it.

Edit an existing policy

  1. From within the Admin Console, go to Settings > Policies in the left navigation.
  2. Click the Overview tab and locate your desired policy.
  3. Click Edit details and make your desired changes to the policy configuration.
  4. Click Save Changes.

Delete a policy

  1. From within the Admin Console, go to Settings > Policies in the left navigation.
  2. Locate your desired policy by using the Search field.
  3. Toggle off the switch for your policy.
  4. When prompted to delete, click OK to confirm removal.

About policies for federated users

For LastPass admins that implement federated login using AD FS, Azure AD, or Okta, please see the limitations for LastPass users with federated login.

About policies for LastPass Business accounts

Admins for LastPass Business accounts (which includes a LastPass Vault, integrated SSO, and passwordless authentication) can enforce the following policies:
  • The Require use of LastPass Authenticator (Advanced MFA add-on) policy can be enabled to require users to set up and use the LastPass Authenticator when accessing their LastPass Vault. This requires an account with LastPass Business + Advanced MFA add-on.
    Note: This policy includes use of passwordless authentication, unlink the "Require use of LastPass Authenticator" policy (which does not require the Advanced MFA add-on).
  • The Override default MFA methods allows to override the default MFA authentication methods. The default primary authentication method is "push", and the backup authentication method is "text/call". Use the Value field to offer different methods for users during setup. Enter the following numbers separated by commas:
    • 1 - Push notifications via LastPass Authenticator

      2 - Codes via TOTP compatible authenticator app (such as Google, Microsoft, Okta, etc.)

    • 3 - Text/Call
    • 4 - YubiKey OTP
    For example, enter the value 1,3,4 to show users these three options during MFA setup:
    • 1 - Push notification via LastPass Authenticator

    • 3 - Text/Call

    • 4 - YubiKey OTP

    In this example any method not chosen as primary can be chosen as a backup in case the primary is unavailable.

  • The Hide Cloud Apps from end users policy can be enabled to hide the Cloud Apps Vault menu item (used for integrated SSO) from appearing in the left navigation of users' LastPass Vaults (if the admin has already implemented their own single sign-on solution or does not need to use LastPass integrated SSO).

Not sure what type of LastPass account you have? Learn more about LastPass business accounts.