How do I configure my Azure AD account to use LastPass MFA for authentication?

You can configure both your Azure Active Directory account and LastPass Business account so that LastPass MFA can be used for authentication when you log in to any single sign-on app where you use your Azure Active Directory account.

Account requirements

  • A Premium tier subscription to Microsoft Azure Active Directory (required for use of conditional access – learn more)
  • An active trial or paid LastPass Business + Advanced MFA add-on account
  • An active LastPass Business + Advanced MFA add-on admin (required when activating your trial or paid subscription)

Set up and configure

Before you begin: Open a text editor application, which will be used in later steps to save copied values.
  • Configure the LastPass Admin Console.
    1. In your web browser toolbar, click the inactive LastPass icon .
    2. Enter your email address and Master Password, then click Log In.
    3. Once logged in, click the active LastPass icon in your web browser toolbar, then select Admin Console.

      Result: A new web browser window or tab will open and display the Password Manager Admin Console.

    4. Select MFA or SSO & MFA in the left navigation.
    5. Go to Advanced Options > Keys in the left navigation.
    6. Under OAuth, click Enable.
    7. In the Callback URL field, copy and paste the following URL: .
    8. Click Save.

      OAuth keys in Admin Console

    9. Under Client ID, click the Copy icon to copy the Client ID value to your clipboard, then paste it into your text editor application.
    10. Copy the JSON below and paste it into your text editor application. Replace < your unique Client ID > with the Client ID value you pasted earlier into your text editor application.


      "AppId": "002a1c97-1381-4f73-a9c9-c049e8ef3a82",

      "ClientId": "<your unique Cliend ID>",

      "Controls": [


      "ClaimsRequested": [{"Type": "amr","Value": "2fa","Values": null


      "Id": "LastPassIdentityMFALogin",

      "Name": " LastPass Identity MFA Login "



      "DiscoveryUrl": "",

      "Name": "LastPass Identity MFA"


  • Configure Conditional Access for Azure AD.
    1. Sign in to your Azure AD account at
    2. Go to Azure Active Directory > Security > Conditional Access.
    3. Select Custom controls.
    4. Click New custom control.
    5. Copy the JSON from Step 10, then paste it in the custom control window. Please note that you must include your unique Client ID.

      New custom control in Azure AD portal

    6. Click Create > New Policy.
    7. Enter a name for your policy (e.g., LastPass Multifactor Authentication).
    8. Click Users and groups, then select your desired users and groups (e.g., All users).

      Assign users & groups in Azure AD portal

    9. Click Cloud apps or actions, then select the cloud application(s) for which you want to require Multifactor Authentication using the LastPass MFA app (e.g., All cloud apps).

      Assign Cloud apps in Azure AD portal

    10. Under Access controls, click Grant.
    11. Click the radio button for the Grant access option.
    12. Check the box to enable the LastPass Identity MFA Login option.
    13. When finished, click Select.

      Grant access in Azure AD portal

    14. Under Enable policy, toggle the switch to On.
    15. Click Create.

      Enable policy in Azure AD portal

      Result: You have completed the setup steps in the Azure AD portal, and your users are now required to use the LastPass MFA app for authentication.

  • Send the LastPass MFA app activation email to users.
    1. Send an activation email to all users who haven't already activated their account to use the LastPass MFA app (instructions here).

      Result: A new activation email is sent to all required users with instructions on how to activate LastPass MFA.

  • Setup is complete!
Going forward, when your users log in to Azure AD SSO with their Azure AD account password, they will be prompted to authenticate using the LastPass MFA app.