HELP FILE

Set up Federated Login for LastPass Enterprise using Azure Active Directory

LastPass Enterprise account admins can set up and configure federated login so that users can utilize their organization's Active Directory (Azure AD or on-premise Active Directory) account to log in to LastPass without ever having to create a second Master Password.

Please review the account requirements and limitations that apply to federated users, then you can begin the setup process between the LastPass Enterprise Admin Console and the Azure AD portal.

In this set of instructions, Azure AD is defined as the Identity Provider (IdP) used for authentication.

Account requirements

Syncing your Azure Active Directory with LastPass Enterprise requires the following:

  • A Premium tier subscription to Microsoft Azure Active Directory
  • An active trial or paid LastPass Enterprise subscription
  • An active LastPass Enterprise admin (required when activating your trial or paid subscription)

Limitations that apply to federated users

Step #1: Follow all steps in the Azure AD Integration Guide

Follow the instructions to set up automated provisioning via the Azure Active Directory Integration Guide for LastPass Enterprise.

Step #2: Capture the Application ID and OpenID Connect from Azure AD

  1. In the Azure AD portal, in "App registration" with your LastPass application selected, select Overview in the left navigation.
  2. Copy the Application (client) ID field contents and paste it into your open text editor.
  3. Copy OpenID Connect metadata document field contents and paste it into your open text editor.
  4. Proceed to Step #3 below where these items will be used.

Step #3: Configure Federated login settings in LastPass Enterprise

  1. Go back to the LastPass Enterprise Admin Console, then select SettingsFederated login in the left navigation.
  2. Select the Azure AD tab, then enter the following:
    • In the "Directory (tenant) ID" field, paste the OpenID Connect metadata document from Step #2 above.
    • In the "Application (client) ID" field, paste the Application (client) ID from Step #2 above.
  3. Check the box to enable the "Enabled" option.
  4. Click Save Settings when finished.

Step #4: Configure a Redirect URI in Azure AD

  1. In the Azure AD portal, with your LastPass application selected, select Overview in the left navigation.
  2. Under Redirect URI in the upper-right navigation, click Add a Redirect URI.
  3. Add the first Redirect URI, as follows:
    • For the Type column, use the drop-down menu and select Web
    • For the Redirect URI column, enter https://lastpass.com/passwordreset.php
  4. Add the second Redirect URI, as follows:
    • For the Type column, use the drop-down menu and select Web
    • For the Redirect URI column, enter https://accounts.lastpass.com/federated/oidcredirect.html
  5. Under the Advanced settings, check the boxes to enable the following settings:
    • Access tokens
    • ID tokens
  6. Click Save when finished.

Step #5: Configure API permissions in Azure AD

  1. In the Azure AD portal, select API permissions in the left navigation.
  2. Click the Add a permission button, then select Microsoft Graph.
  3. In the right navigation, select Delegated permissions.
  4. Under the Permission menu, check the boxes to enable the following permission settings:
    • email
    • openid
    • profile

  5. Under the User menu, check the boxes to enable the following user settings:
    • User.Read
    • User.ReadWrite
  6. When finished, click Add permissions.

  7. Under Grant consent, click the Grant <your LastPass application name> hyperlink to finish configuring API permissions for your LastPass app.

Step #6: Add users to the LastPass app in Azure AD

  1. In the Azure AD portal, with your LastPass application selected, go to Overview > Enterprise applications in the left navigation.
  2. Select your newly created LastPass application.
  3. Select Users and groups in the left navigation.
  4. Click Add user.
  5. Locate each of the users and/or groups in the list, then click Select to grant access to the LastPass app.

Step #7: Set up Multifactor Authentication on Azure AD (optional)

If desired, you can set up Multifactor Authentication at the Azure AD (Identity Provider) level.

You're all set!

You have successfully set up Azure AD to use federated login for your LastPass Enterprise account. All of your newly populated federated users will receive a Welcome email informing them that they can now log in to use LastPass. Please note that your LastPass users must log in using the LastPass web browser extension in order to use federated login for their Azure AD account with LastPass.