HELP FILE

How do I configure my Azure AD account to use the LastPass MFA app for authentication?

You can configure both your Azure Active Directory account and LastPass MFA or LastPass Identity account so that the LastPass MFA app can be used for authentication when you log in to any single sign-on app where you use your Azure Active Directory account.

Account requirements

  • A Premium tier subscription to Microsoft Azure Active Directory (required for use of conditional access – learn more)
  • An active trial or paid LastPass MFA or LastPass Identity account
  • An active LastPass MFA or LastPass Identity admin (required when activating your trial or paid subscription)

Configure the LastPass Admin Console

  1. Open a text editor application, which will be used in later steps.
  2. In your web browser toolbar, click the inactive LastPass icon .
  3. Enter your username and Master Password, then click Log In .
  4. If prompted, complete steps for Multifactor Authentication (if it is enabled on your account).

  5. Once logged in, click the active LastPass icon in your web browser toolbar, then select Admin Console.
  6. A new web browser window or tab will open and display the Password Manager Admin Console.
  7. Click MFA or SSO & MFA in the left navigation.
  8. Go to Advanced OptionsKeys in the left navigation.
  9. Under OAuth, click Enable.
  10. In the Callback URL field, copy and paste the following URL:  https://login.microsoftonline.com/common/federation/OAuth2ClaimsProvider .
  11. Click Save.
  12. Under Client ID, click the Copy icon to copy the Client ID value to your clipboard, then paste it into your text editor application.
  13. Copy the JSON below and paste it into your text editor application. Replace < your unique Client ID > with the Client ID value you pasted earlier into your text editor application.

{

"AppId": "002a1c97-1381-4f73-a9c9-c049e8ef3a82",

"ClientId": "<your unique Cliend ID>",

"Controls": [

{

"ClaimsRequested": [{"Type": "amr","Value": "2fa","Values": null

}],

"Id": "LastPassIdentityMFALogin",

"Name": " LastPass Identity MFA Login "

}

],

"DiscoveryUrl": "https://identity.lastpass.com/oauth/.well-known/openid-configuration",

"Name": "LastPass Identity MFA"

}

Configure Conditional Access for Azure AD

  1. Sign in to your Azure AD account at https://portal.azure.com.
  2. Go to Azure Active DirectorySecurityConditional Access.
  3. Select Custom controls.
  4. Click New custom control.
  5. Copy the JSON from Step #13 (in the previous section), then paste it in the custom control window. Please note that you must include your unique Client ID.
  6. Click Create.
  7. Click New Policy.
  8. Enter a name for your policy (e.g., LastPass Multifactor Authentication).
  9. Click Users and groups, then select your desired users and groups (e.g., All users).
  10. Click Cloud apps or actions, then select the cloud application(s) for which you want to require Multifactor Authentication using the LastPass MFA app (e.g., All cloud apps).
  11. Under Access controls, click Grant.
  12. Click the radio button for the Grant access option.
  13. Check the box to enable the LastPass Identity MFA Login option.
  14. When finished, click Select.
  15. Under Enable policy, toggle the switch to On.
  16. Click Create.

You're all set! Going forward, when your users log in to Azure AD SSO with their Azure AD account password, they will be prompted to authenticate using the LastPass MFA app.