HELP FILE

Step #2: Configure the Provisioning App for LastPass in Azure AD

Once you have acquired the Connection URL and Provisioning Token, you will need to create the Provisioning App for LastPass and enter those values, as well as configure your group and user attributes.

The steps below are performed in the Azure AD portal.
  • First, create the Provisioning App for LastPass.
    1. Log in to your Azure AD portal with your administrator account credentials at https://portal.azure.com.
    2. Go to Azure Active Directory > Enterprise Applications > New application.
    3. Click Create your own application.

      New application in Azure AD portal

    4. Enter a name for your Provisioning App (e.g., LastPass Provisioning App).
    5. Select the radio button for the Integrate any other application you don't find in the gallery option.
    6. Click Create.

      Create your own app in Azure AD portal

    7. Select Provisioning in the left navigation, then click Get Started.
    8. For Provisioning Mode, use the drop-down menu and select Automatic.
    9. Under Admin Credentials, do the following:
      • In the "Tenant URL" field, paste the Connection URL you copied from the LastPass Admin Console (from Step #5 in the previous article).
      • In the "Secret Token" field, paste the Provisioning Token you copied from the LastPass Admin Console (from Step #6 in the previous article).
    10. Click Test Connection to have Azure AD attempt to connect to your LastPass Admin Console.

      Troubleshooting: If the connection attempts fail, error information is displayed.

    11. Click Save to store the values in the Admin Credentials section.

  • Next, configure your group attribute mappings.
    1. Select Mappings in the new section (below Test Connection button).
    2. Select Provision Azure Active Directory Groups to configure group object mappings.
    3. Scroll down and check the box for Show advanced options.
    4. Click Edit attribute list for customappsso, then make the following selections:
      For this group attribute: Select these settings:
      id
      • Type = String
      • Check box for Primary Key?
      • Check box for Required?
      externalID
      • Type = String
      • Check box for Required?
      displayName
      • Type = String
      • Check box for Required?
      members
      • Type = Reference
      • Check box for Multi-Value?
      • Referenced Object Attribute = Use the drop-down menu and select the following:
        • urn:ietf:params:scim:schemas:core:2.0:Group
        • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
    5. Select Save > Yes and return to Attribute Mapping.

  • Next, configure your user attribute mappings.
    1. Under Mappings, select Provision Azure Active Directory Users to configure user object mappings.
    2. The default User Attribute Mapping list will display the following (unless the attributes were previously adjusted):
      User Attribute Name Default Configurations
      userPrincipalName
      • customappsso Attribute = userName
      • Matching precedence = 1
      Switch([IsSoftDeleted], ,"False", "True","True","False") customappsso Attribute = active
      displayName customappsso Attribute = displayName
    3. Scroll down and check the box for Show advanced options.
    4. Click Edit attribute list for customappsso, then make the following selections:
      For this user attribute: Select these settings:
      id
      • Type = String
      • Check box for Primary Key?
      • Check box for Required?
      active Type = Boolean
      Troubleshooting: If the "active" attribute is missing from the list, please perform these troubleshooting steps.
      userName
      • Type = String
      • Check box for Required?
      externalID
      • Type = String
      • Check box for Required?
    5. Select Save > Yes and return to Attribute Mapping.

  • Finalize the attribute mappings for users.
    1. Under Attribute Mappings, make the following selections:
      For this user attribute: Select these settings:
      userPrincipalName
      1. Matching precedence = 2
      2. Click OK
      externalID
      1. Source attribute = objectId
      2. Match objects using this attribute = Yes
      3. Matching precedence = 1
      4. Click OK
      userPrincipalName
      1. Return to the userPrincipalName attribute.
      2. Match objects using this attribute = No
      3. Click OK
  • Delete all other attribute mappings.
    1. Only the following required mappings should be present after editing, and must be configured correctly:

      • objectId
      • userPrincipalName
      • Switch([IsSoftDeleted], ,"False", "True","True","False")
      • displayName
      Warning: You must delete all other attributes listed except for the four attributes listed above, otherwise you will encounter synchronization issues.

    2. Select Save > Yes and return to Attribute Mapping.

    3. Select Provisioning in the breadcrumb menu at the top.
    4. Select Settings then toggle the "Provisioning Status" switch to On.
    5. Click Save.
You have created and configured your Provisioning app for LastPass and enabled synchronization for provisioning.