HELP FILE

Office 365 App Integration

Set up an app integration so that your user can sign into this app using the same credentials that they use for LastPass.

Part 1 - Add the SSO app to LastPass

  1. Open the LastPass Admin Dashboard. Select Applications from the left side menu and then select Web App from the submenu.

    LastPass Web Applications

  2. Click on + Add SSO App button from the upper right corner.
  3. A pop-up window will appear. Under the section: Select your app, click on Search… and select Office 365 from the LastPass Catalog.

    Office 365 App Catalog

  4. On One Click Setup section enter Microsoft Global Admin Email, Password, and Domain.

    Note: LastPass will not store your credentials.

  5. Click on One-click setup and Save.

    Office 365 One click setup

Manually add Office 365

  1. Log in and access the LastPass Password Manager Admin Console by doing either of the following:
    • While logged in to LastPass, click the active LastPass icon in your web browser toolbar, then select Admin Console in the menu.
    • Log in at https://lastpass.com/company/#!/dashboard with your admin username and Master Password.
  2. In the left navigation of the Admin Console, go to Applications > SSO apps.
  3. If you have not previously added SSO apps, click Add your first SSO app. Otherwise, click Add Application in the upper-right navigation.

  4. Under the "Select your app" section, choose one of the following options:
    • If your app is in the catalog, click the app name to select it.
    • If your app is not in the catalog yet, click on the Custom tab and enter a name in the App Name field.
      Note: If you add a custom app, you must click on the Service Provider section provide the ACS URL before you can save the app. You can find the ACS data from the app's Service Provider metadata or website.
    • If you want to copy the configuration of an app you have already set up, click the Copy tab then select the app from the drop-down menu.

  5. Under Identity Provider, the following items are listed, which you can copy and paste to a text editor application if needed:
    Option Description
    Entity ID (for LastPass) https://identity.lastpass.com
    SSO End Point https://identity.lastpass.com/SAML/SSOService
    Logout URL https://identity.lastpass.com/Login/Logout
    Certificate Default is selected, or select another
    Certificate Fingerprint Custom
    Certificate Fingerprint (SHA256) Custom
  6. Optional: If needed, you can click the Download icon to download and save the LastPass Certificate (TXT) and/or Metadata (XML) files.

  7. Open a new web browser window or tab to proceed with the next steps.

Part 2 - App Configuration

  1. Log into Office 365 administration center as an administrator and then click on Admin.

  2. From the left side menu select Settings > Domans.

  3. Add a domain that you are going to use for Single Sign-On and go through the steps to confirm that you own the domain.

    Note: DO NOT add any users at this stage.

  4. In the section where you are asked How do you want to use with Office 365?, uncheck the checked boxes next to Exchange Online and Lync Online; unless DNS entries are to be updated.
  5. Make sure that the domain is not the default domain. If it is set as the default domain, please go ahead and change that setting by configuring the .onmicrosoft.com as the default domain.
  6. SSO configuration for Office 365 requires Windows Azure Active Directory Module for Windows PowerShell cmdlets. Download and install cmdlets from the following link: https://technet.microsoft.com/en-us/library/jj151815.aspx
  7. You need to use the PowerShell Command template and the certificate that you downloaded from the LastPass Admin Dashboard.

Part 3 - Finalize the Office 365 SSO App Configuration

  1. To configure Office 365 SSO, customize the PowerShell command template as follows:

    • $domain: enter your company domain in the following format: yourworkdomain.com
    • $issuer enter your company domain at the end of the URL, in the following format: https://identity.lastpass.com/yourworkdomain.com
    • $certificateFile Full path and filename of theh certificate file you've just downloaded

    Configure Office 365 texts

  2. Please open Powershell as an administrator. $cred=Get-Credential

    Result: It will prompt for the administrator's credentials.

  3. Type your administrator login credentials into the dialog that appears on the screen.
  4. Copy and paste the second command, to get authenticated on Office 365: Connect-MsolService -Credential $cred
  5. Copy the block of PowerShell commands starting with $domain and ending with $logoffurl. Paste them into your PowerShell window.

  6. Then copy and paste the second block to upload the certificate file.
  7. Run the following command to enable SSO for your domain: Set-MsolDomainAuthentication -FederationBrandName $domain -DomainName $domain -Authentication federated PreferredAuthenticationProtocol SAMLP -IssuerUri $issuer -Signing Certificate $certificate -PassiveLogOnUri $ssoUrl -ActiveLogOnUri $ecpUrl -LogOffUri $logoffUrl –Verbose

    Result: You have completed the manual SSO setup for Office 365.

  8. Return to the LastPass Admin Console.
  9. On the LastPass Admin Console web browser window or tab you left open as the last step in Part 1, locate the Service Provider settings.
  10. Under Service Provider, enter the following:
    Option Description
    ACS (i.e., Post Back URL, Reply URL, or Single Sign-On URL) This is the URL to which authentication responses (containing assertions) are returned. If you added a Custom app, the ACS information is required in order to save the app.
    Entity ID (i.e., Issuer ID or App ID) This is the Metadata URL of the Service Provider.
    Nickname The name of the app how it appears in the Admin Console (and Cloud Apps, if your users have a LastPass password management Vault).
  11. Click Save when finished.

  12. Optional: Under the Advanced Setup section, you can add any of the following customizations:
    • Role
    • IDP (custom)
    • Relay State (custom)
    • Identifier (choose from Email, Secondary Email, User ID, Groups, Roles, or CustomID - by default, Email is selected).
    • Step Up Authentication - Check the box to enable the use of the LastPass MFA app when signing in to your app.
    • SAML Signature Method - Check the box(es) for using SHA1 and/or SHA256.

  13. Optional: Under Custom Attributes, you can add various SAML attributes (learn how to create them here). If you have already created custom attributes, you can use the drop-down menu and choose from the following options:
    • Email
    • Secondary Email
    • User ID
    • First Name
    • Last Name
    • Groups
    • Roles
    • CustomID
    • Constant value
  14. Optional: If desired, check the box(es) to enable any of the following settings:
    • Sign Assertion
    • Sign Request
    • Sign Response
    • Encrypt Assertion
  15. To add more attributes, click + Add SAML Attribute, then use the drop-down menu to make your selections.
  16. Optional: If desired, click Choose File to upload a Partner Certificate.

  17. Click Save and assign to begin selecting users to assign. Otherwise if you have already saved the app, click the Assign Users icon for your app.
  18. You can assign new users or groups, or manage those already selected by doing either of the following:
    • To assign new, select the User or Group tab, then locate and click to select.
      Tip: You can deselect by clicking on the user or group again, or click Remove All to remove all selected users.

    • To manage selected, click the Selected tab to view all users and groups already assigned. If desired, click the Delete icon to remove users or groups.
  19. Click Save when finished.

    Result: Your SSO app is now configured! The LastPass users you assigned to this SSO app can now log in and access the app using their LastPass account.

Troubleshooting for Manual Setup

Error Description
See all licenses

Get-MsolAccountSku

You need your AccountSku number to be able to add users.
Add users

New-MsolUser -UserPrincipalName -ImmutableId -FirstName -LastName -DisplayName -LicenseAssignment -usageLocation

The immutable id is a unique user identifier on Office 365. Make sure Immutable id is reflected in the user's info on LastPass portal, as the user's ID. The user principal name is the IDPEmail. Both these values must match with the Office 365 configuration for single sign-on to be successful.
Delete users

emove-MsolUser -UserPrincipalName <User's email>

The above command moves the user to the Office 365 recycle bin. To create a user with the same name, make sure to remove the user from the recycle bin.
Retrieve a deleted user Get-MsolUser -ReturnDeletedUsers -SearchString <User's email> | select UserPrincipalName, ObjectId
Remove a deleted user from the recycle bin Remove-MsolUser -RemoveFromRecycleBin –ObjectId
Login error Some users might experience the following sign-in issue, due to a known bug on Office 365:

"Sorry, but we're having trouble signing you in. Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error: <error#>."

The solution is simply to restart your browser. Then open a fresh browser tab and try to log in.

Alternatively, LastPass MFA can be used for secure login to Office 365/Azure AD SSO while maintaining Azure AD as the primary Identity Provider. For more info, visit LastPass conditional access setup page.