Can I terminate LastPass Enterprise or Identity users?
There are several termination options available for LastPass administrators to use, each with varying degrees of severity. Please consider your options carefully prior to deleting or removing users. These actions can be performed manually via the Admin Console (as shown below), or can be automated using directory integration options.
If you are using Active Directory Federation Services (AD FS) for LastPass Enterprise or Identity, please be aware of the following:
- If you intend to convert an existing non-federated user (who was created using the same instance of the LastPass AD Connector) to a federated user, please see How do I convert an existing LastPass user to a federated (AD FS) user?
- If you want to convert an existing non-federated user that was created manually or by another method, the user's account must be deleted (not disabled or removed) before they can be created as a new federated user. To ensure that the user's LastPass account data can be fully restored without data loss during this process, it is required that the user exports their LastPass Vault data before their account is deleted.
Whether a user account is deleted, disabled, or removed from the LastPass Enterprise or Identity account, this will not impact any remaining users or their previously associated shared folders. However, if the departed user was the admin of a shared folder, that folder will be left without an admin. For this reason, it is recommended that you enable the "Permit super admins to access shared folders" policy for at least one admin.
As a best practice and an added precaution, we suggest that any shared credentials be changed upon the departure of an employee, regardless of how you choose to manage their exit from LastPass. These changes to any shared folder will automatically sync to all assigned users, and this will give you an added layer of security.
- Ensuring that Sites/tools are no longer accessible by the employee: If the account owner created any passwords in their Vault, or if any credentials were shared visibly with them, then it is quite possible that they have stored this information elsewhere and could access these tools again in the future (outside of LastPass). In order to avoid any doubt, we strongly recommend updating all passwords when an employee account is terminated.
- Once an employee is terminated (disabled, deleted or removed), any data that the account owner has placed in a shared folder will remain fully intact for remaining users.
- In the case of shared solders, while you are never at risk of deleting the shared credentials, you are at risk of finding yourself with no remaining Admin on the folder (if the former account owner was the sole folder Admin). If this is a concern, you should consider enabling the "Permit super admins to access shared folders" policy.
- Please note that NONE of these actions will affect a Linked Personal Account, which is why we highly recommend that users store personal data within their Linked Personal Account rather than storing this type of data in their company account.