HELP FILE

How do I manage policies as a LastPass admin?

LastPass Business accounts offer a number of configurable and recommended policies around security levels and password strength that you can add, edit, or delete as an admin. Each policy can be applied to all users, or an inclusive or exclusive list of users (e.g., a policy that prohibits all users from exporting data except for those who are admins). With over 100 policies available for you to add and configure, you can achieve the most optimal security performance with LastPass.

Full policy list

You can view all available policies for LastPass Business on the LastPass Policy page at https://lastpass.com/policy_doc.php. Please note that you must be actively logged in with a LastPass Business account in order to view the full list of policies available.

Note:  LastPass Business policies are separate from those available in the LastPass SSO and/or MFA Admin Console – please see Policy Management for more information.

Review recommended policies

You can view our LastPass Business Recommended Policies to help guide you through common scenarios and determine which policies best suit the business needs of your organization.

Enterprise Admin Console Policies. Add, Edit or Delete Policy.

Add a new policy

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to Settings > Policies in the left navigation.
  3. Click Add Policy.
  4. Use the drop-down menu to select your desired policy.
  5. When applicable, enter data into the "Value" field based on the data type outlined in the description (e.g., IP Address, domain name, email address, country abbreviation, etc.).
  6. For the "Applies to" section, choose one of the following options:
    • All – Select this option to apply to all users on your account.
    • Inclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should be enforced.
    • Exclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should not apply.
  7. Optional: If desired, you can add Notes about the policy you are configuring.
  8. If applicable, check the box for the Enabled option to enforce the policy immediately. If left unchecked, the policy will be added but not yet enforced, but you can edit the policy later to enable it.
  9. If applicable, click Add new policy values if you want to create additional configurations with different values that are based on specific Inclusive or Exclusive user lists.

    Example: For example, you can configure a policy that prohibits all users from exporting LastPass data except for those users who are admins.

  10. Click Save.

What to do next: If you configured a policy as Disabled (by leaving the Enabled checkbox unchecked) and are now ready to enable it, you will need to locate the policy and toggle on the switch to enforce it.

Edit an existing policy

  1. From within the Admin Console, go to Settings > Policies in the left navigation.
  2. Locate your desired policy, then click Edit under the "Action Menu" column.
  3. Make your desired changes, then click Save when finished.

Delete a policy

  1. From within the Admin Console, go to Settings > Policies in the left navigation.
  2. Locate your desired policy, then click Delete under the "Action Menu" column.
  3. When prompted to delete, click OK to confirm removal.

About policies for federated users

For LastPass admins that implement federated login using AD FS, Azure AD, or Okta, please see the limitations for LastPass users with federated login.

About policies for LastPass Business accounts

Admins for LastPass Business accounts (which includes a LastPass Vault, integrated SSO, and LastPass MFA) can enforce the following policies:
  • The Require use of LastPass Authenticator (Advanced MFA add-on) policy can be enabled to require users to set up and use the LastPass Authenticator when accessing their LastPass Vault.
    Note: This policy includes use of passwordless authentication, unlink the "Require use of LastPass Authenticator" policy (which does not require the Advanced MFA add-on).
  • The Hide Cloud Apps from end users policy can be enabled to hide the Cloud Apps Vault menu item (used for integrated SSO) from appearing in the left navigation of users' LastPass Vaults (if the admin has already implemented their own single sign-on solution or does not need to use LastPass integrated SSO).

Not sure what type of LastPass account you have? Learn more about LastPass business accounts.