Add and Manage LastPass Admin Policies

LastPass Business accounts offer a number of configurable and recommended policies around security levels and password strength that you can add, edit, or delete as an admin. Each policy can be applied to all users, or an inclusive or exclusive list of users. With over 100 policies available for you to add and configure, you can achieve the most optimal security performance with LastPass.All policies for LastPass Business accounts have been categorized and displayed on separate tabs, and are also searchable in the Admin Console under Settings > Policies.

Note: Are you seeing something different? Please see any of the following:

Full policy list

You can view all available policies for LastPass Business on the LastPass Policy page at https://lastpass.com/policy_doc.php. Please note that you must be actively logged in with a LastPass Business account in order to view the full list of policies available.

Note: LastPass Business policies are separate from those available in the LastPass SSO and/or MFA Admin Console – please see Policy Management for more information.

Policy categories

These policy categories include:

Overview – These policies are currently configured and enforced for your account by a company administrator, and includes both enabled and default policies
Default – These policies are enabled by default for all users (but can be disabled or configured otherwise)
Recommended – These policies are disabled by default but are recommended by LastPass to enable and configure to best suit the business needs of your organization
Access Controls – These policies manage users' access to LastPass
Password Rules – These policies manage requirements for site passwords and when users create or use their master password
Account Restrictions – These policies enforce account restrictions for users
Administration – These policies manage general administration, including notifications and reporting for admins, limitations on user access for the Admin Console, and restrictions on upgrade prompts & Enzoic breach reporting checks
Multifactor – These policies manage all settings, restrictions, and requirements for Multifactor Authentication for users
Other – These are all other policies that do not fall under the previous categories

Please note that you must be actively logged in with a LastPass Business account in order to view the full list of policies available.

Note: LastPass Business policies are separate from those available in the LastPass SSO and/or MFA Admin Console – please see Access Policy Management for more information.

Configure and enable a new policy

Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
Go to Settings > Policies in the left navigation.
Navigate to your desired policy in either of the following ways:
- Use the Search field to enter keywords for the name of your desired policy, then click on the category tab that matches your search
  Note: The number next to the category tab(s) indicate the amount of policies that match your search criteria for each category.
- Click on the category tab to locate your desired policy
Toggle on the switch for your desired policy, then click Edit details.
When applicable, enter data into the "Value" field based on the data type outlined in the description (e.g., IP Address, domain name, email address, country abbreviation, etc.).
For the "Applies to" section, choose one of the following options:
- All – Select this option to apply to all users on your account.
- Inclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should be enforced.
- Exclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should not apply.
Optional: If desired, you can add Notes about the policy you are configuring.
If applicable, select Enabled or Disabled to choose whether or not to enforce the policy immediately. If disabled, the policy will be added but not yet enforced, and can be enabled later.
If applicable, click Add new policy values if you want to create additional configurations with different values that are based on specific Inclusive or Exclusive user lists.
Example: For example, you can configure a policy that prohibits all users from exporting LastPass data except for those users who are admins.
Click Save Changes.

What to do next: If you configured a policy as Disabled and are now ready to enable it, you will need to locate the policy and toggle on the switch to enforce it.

Edit an existing policy

From within the Admin Console, go to Settings > Policies in the left navigation.
Click the Overview tab and locate your desired policy.
Click Edit details and make your desired changes to the policy configuration.
Click Save Changes.

Delete a policy

From within the Admin Console, go to Settings > Policies in the left navigation.
Locate your desired policy by using the Search field.
Toggle off the switch for your policy.
When prompted to delete, click OK to confirm removal.

About policies for federated users

About this task: For LastPass admins that implement federated login using AD FS, Azure AD, Google Workspace, Okta, or PingOne, please view limitations for LastPass users with federated login.

About policies for LastPass Business accounts

About this task: Admins for LastPass Business accounts (which includes a LastPass vault, integrated SSO, and passwordless login) can enforce the following policies:

The Require use of LastPass MFA policy can be enabled to require users to set up and use the LastPass Authenticator app when accessing their LastPass vault. This requires an account with LastPass Business + Advanced MFA add-on.
The Override default MFA methods allows to override the default MFA authentication methods. The default primary authentication method is "push", and the backup authentication method is "text/call". Use the Value field to offer different methods for users during setup. Enter the following numbers separated by commas:
- 1 - Push notifications via LastPass Authenticator app
  2 - Codes via TOTP compatible authenticator app (such as Google, Microsoft, Okta, etc.)
- 3 - Text/Call
- 4 - YubiKey OTP
For example, enter the value 1,3,4 to show users these three options during MFA setup:
- 1 - Push notification via LastPass Authenticator
- 3 - Text/Call
- 4 - YubiKey OTP
In this example any method not chosen as primary can be chosen as a backup in case the primary is unavailable.
The Hide Cloud Apps from end users policy can be enabled to hide the Cloud Apps vault menu item (used for integrated SSO) from appearing in the left navigation of users' LastPass vaults (if the admin has already implemented their own single sign-on solution or does not need to use LastPass integrated SSO).