HELP FILE

How do I configure my Azure AD account to use LastPass MFA for authentication?

You can configure both your Azure Active Directory account and LastPass Business account so that LastPass MFA can be used for authentication when you log in to any single sign-on app where you use your Azure Active Directory account.

Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

Account requirements

  • A Premium tier subscription to Microsoft Azure Active Directory (required for use of conditional access – learn more)
  • An active trial or paid LastPass Business + Advanced MFA add-on account
  • An active LastPass Business + Advanced MFA add-on admin (required when activating your trial or paid subscription)

Set up and configure

Note: Policies are not enforced by LastPass in this configuration. All policies have to be configured in Azure AD using Conditional Access policy (for example, location restriction, biometrics, and so on).
Before you begin: Open a text editor application, which will be used in later steps to save copied values.
  • Configure the new Admin Console.
    1. Log in with your email address and Master Password to access the new Admin Console at https://admin.lastpass.com/uac.
    2. Go to Applications > MFA Apps.
    3. Click Add App, select Microsoft Azure AD.
    4. Click Save & continue.
    5. In the Set up integration window, copy and save the integration key to your clipboard, then paste it into your text editor application, that is the Client ID.
    6. Click Finish.
    7. Copy the JSON below and paste it into your text editor application. Replace < your unique Client ID > with the Client ID value you pasted earlier into your text editor application.

      {

      "AppId": "002a1c97-1381-4f73-a9c9-c049e8ef3a82",

      "ClientId": "<your unique Cliend ID>",

      "Controls": [

      {

      "ClaimsRequested": [{"Type": "amr","Value": "2fa","Values": null

      }],

      "Id": "LastPassIdentityMFALogin",

      "Name": " LastPass Identity MFA Login "

      }

      ],

      "DiscoveryUrl": "https://identity.lastpass.com/oauth/.well-known/openid-configuration",

      "Name": "LastPass Identity MFA"

      }

  • Configure Conditional Access for Azure AD.
    1. Sign in to your Azure AD account at https://portal.azure.com.
    2. Go to Azure Active Directory > Security > Conditional Access.
    3. Select Custom controls.
    4. Click New custom control.
    5. Copy the JSON from Step 7, then paste it in the custom control window.

      Note: You must include your unique Client ID.
      New custom control in Azure AD portal

    6. Click Create > New Policy.
    7. Enter a name for your policy (for example, LastPass Multifactor Authentication).
    8. Click Users and groups, then select your desired users and groups (for example, All users).

      Assign users & groups in Azure AD portal

    9. Click Cloud apps or actions, then select the cloud application(s) for which you want to require Multifactor Authentication using the LastPass Authenticator (for example, All cloud apps).

      Assign Cloud apps in Azure AD portal

    10. Under Access controls, click Grant.
    11. Click the radio button for the Grant access option.
    12. Check the box to enable the LastPass Identity MFA Login option.
    13. When finished, click Select.

      Grant access in Azure AD portal

    14. Under Enable policy, toggle the switch to On.
    15. Click Create.

      Enable policy in Azure AD portal

      Result: You have completed the setup steps in the Azure AD portal, and your users are now required to use the LastPass Authenticator for authentication.

  • Send the LastPass Authenticator app activation email to users.
    1. Send an activation email to all users who haven't already activated their account to use the LastPass Authenticator (instructions here).

      Result: A new activation email is sent to all required users with instructions on how to activate passwordless authentication.

Going forward, when your users log in to Azure AD SSO with their Azure AD account password, they will be prompted to authenticate using the LastPass Authenticator.

Accept or Reject request