HELP FILE

Set Up Azure Active Directory Integration

IT admins can easily benefit from secure administration of LastPass Enterprise by using our Azure Active Directory integration, which offers:

  • Secure configuration and deployment of LastPass
  • Automated provisioning of LastPass user accounts
  • Real-time deprovisioning of LastPass user accounts
  • Syncing groups for assigning users to policies and shared folders

Topics in this article:

Account requirements

Set up and configure

Deprovision users

FAQs

Account requirements

Syncing your Azure Active Directory with LastPass Enterprise requires the following:

  • A Premium tier subscription to Microsoft Azure Active Directory
  • An active trial or paid LastPass Enterprise account
  • An active LastPass Enterprise admin (required when activating your trial)

The SCIM endpoint used to integrate LastPass with Azure Active Directory does not require any software installation.
This integration does not allow users to log in to LastPass with their Active Directory password. Completing the account setup steps for LastPass requires that the user create and remember a separate LastPass Master Password, which is used to create the unique encryption key for their LastPass Vault.

Set up and configure

To register and integrate your LastPass Enterprise account with your in Azure Active Directory, complete all of the steps in the Azure AD Integration Guide.

Deprovision users

You can remove a user's LastPass account access by deprovisioning them. From the Azure portal, you can either choose to disable their account (which will allow the account to remain available for reactivation), or delete their account completely (which will delete all of their stored data). You can view all users who are disabled on your account by going to UsersDisabled users.

Disable a user

  1. Log in to the Azure portal at https://aad.portal.azure.com.
  2. Go to Users in the left menu, then locate and select your desired user.
  3. In the Settings section, click Edit.
  4. For the "Block sign in" option, click Yes.
  5. Click Save when finished.

Delete a user

  1. Log in to the Azure portal at https://aad.portal.azure.com.
  2. Go to Users in the left menu, then locate your desired user and check the box to the left of their name to select them.
  3. Click Delete user.
  4. When prompted, click Yes to confirm.

FAQs

Do groups in Azure AD sync to the LastPass Admin Console?

  • Yes, you can configure your Azure AD to sync user groups to LastPass, where they will appear in the User tab of the Admin Console. From there, the groups can be leveraged for assigning policies and shared folders.

Can I assign more than one group to LastPass?

  • Yes, you can assign as many custom groups to LastPass in Azure AD as needed.

If I update a group in Azure AD, are the changes reflected in LastPass?

  • If you add or remove users to a group in Azure AD, the change will be reflected in LastPass and an account will be provisioned or deprovisioned as needed.

Can users log in to LastPass with their Azure AD password?

  • No. Users must create a separate LastPass Master Password when they receive their account invitation. The Master Password is used to form the encryption key to their LastPass Vault, and is never shared with LastPass (or Microsoft).

Can I choose to have users adding to the Pending Approval tab in the Admin Console?

  • No, users are automatically provisioned and will appear as live users.

How can I test that the integration is syncing correctly?

  • When first deploying LastPass Enterprise with Azure AD, you can set up a small test group in Azure AD. Once you’ve confirmed that provisioning is working as expected, you can test adding and removing people in the test group. Once all testing is successful, you can then assign LastPass to all groups, or the specific groups that will be using LastPass.