product icon

LastPass Admin Management of Global Never and Global Only URLs

    LastPass Business admins can add Global Never and Global Only URLs in the Admin Console to control whether you want LastPass to prompt your users for action. Additionally, a wildcard character (*) can be used for both a subdomain and subpath when adding Global Never URLs.

    Note:  If you choose not to use a wildcard character (*) for your URL or domain, LastPass will apply the "Never URL" logic to the exact string you have added. Additionally, if a user attempts to save a site manually for a URL or domain that has been added as a Global Never URL, they will be informed that there is a policy restriction in place that prevents them from saving it.

    If you are not a LastPass admin and want to manage these settings as a user from your vault, please see Manage Never URLs but keep in mind that your admin may have enforced policies that prohibit changes. Please note that Global Only URLs can only be added and managed by LastPass Business admins.

    Global Never and Only URLs

    Manage Global Never URLs and Apps

    Note:  Using a wildcard character (*) is only supported for URLs and domains. It is mandatory to always specify a top-level domain (TLD) (for example, .com).
    About this task: To create a denylist of URLs and domains upon which you do not want LastPass prompts enabled, do the following:
    1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
    2. Go to Advanced Options > Business Options in the left navigation.
    3. Select the Global Never/Only URLs tab.
    4. Enter your desired URL(s) and/or domain(s), separated by commas or new lines.
    5. Choose from the following:
      • URLs and domains – To prevent LastPass from prompting for an exact URL or domain:

      Example: Added as: https://sample.com,http://testing.com,https://example.com

      Example: Saved as: sample.com, testing.com, example.com

      • URLs and subdomains – To prevent LastPass from prompting for an exact URL or subdomain:

      Example: Added as: https://sample.com,http://testing.com,https://example.com

      Example: Saved as:  https://subdomain.example.com/,https://subdomain.sample.com/

      Note:  To prevent LastPass from interacting with specified sites that have subdomains in their URLs, the site should be saved under Global Never URLs in the following format: *.example.com/*

      • URLs and domains with wildcard(s) – To prevent LastPass from prompting for any variation before, after, and/or before & after a URL:

      Example: Added as: https://*.sample.com,http://testing.com*,https://*.example.com*

      Example: Saved as: *sample.com, testing.com*, *example.com*

      The following examples and explanations give further guidance as to what format to use when specifying your URL(s) and/or domain(s).
      Never URL Type Example Matches Example Non-Matches Action
      example.com Domain example.com/, example.com/login, www.example.com/, www.example.com/login otherdomain.com/, example.net/ Match every path and every subdomain
      example.com/ URL example.com/ www.example.com/, example.com/login Match only the page "/" of a domain
      example.com/login URL www.example.com/login www.example.com, example.com/ Match only the page "/login" of a domain
      www.example.com/ URL www.example.com/ example.com/, www.example.com/login Match only the page "/" of a subdomain
      example.com/* URL example.com/, example.com/login www.example.com/ Match every page of a domain (but not its subdomains)
      www.example.com/* URL www.example.com/, www.example.com/login example.com/ Match every page of a subdomain
      *.example.com/login URL example.com/login, www.example.com/login example.com, www.example.com/index.php Match the page "/login" of every subdomain
      *.example.com/* URL example.com/, www.example.com, example.com/login, www.example.com/login otherdomain.com/ Match every page and every subdomain (equivalent to example.com)
      Note: While specifying one exact IP address is supported (for example, https://192.0.2.0/), specifying an IP address range (for example, https://192.0.2.0-192.0.2.255) or CIDR range (for example, https://192.0.2.0/24) is not supported.
    6. Click Update when finished.

      Result: You have added a Global Never URL.

    Manage Global Only URLs

    Note:  It is not recommended to use Global Only URLs unless there is a specific need in your infrastructure where you only want a few select domains to be enabled for LastPass prompts.
    About this task: To create an allowlist for a select group of domains for which you only want LastPass prompts to be enabled, do the following:
    1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
    2. Go to Advanced Options > Business Options > Global Never/Only URLs.
    3. Enter your desired URLs and/or domains in the "Global Only URLs" section.
    4. Click Update when finished.

      Result: You have added a Global Only URL.