product icon
How do I configure my Azure AD account to use LastPass MFA for authentication?

How do I configure my Azure AD account to use LastPass MFA for authentication?

    You can configure both your Azure Active Directory account and LastPass Business account so that the LastPass Authenticator app can be used for authentication when you log in to any single sign-on app where you use your Azure Active Directory account.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

    Account requirements

    • A Premium tier subscription to Microsoft Azure Active Directory (required for use of conditional access – learn more)
    • An active trial or paid LastPass Business + Advanced MFA add-on account
    • An active LastPass Business + Advanced MFA add-on admin (required when activating your trial or paid subscription)

    Set up and configure

    Note: Policies are not enforced by LastPass in this configuration. All policies have to be configured in Azure AD using Conditional Access policy (for example, location restriction, biometrics, and so on).
    Before you begin: Open a text editor application, which will be used in later steps to save copied values.

      Add the Microsoft Azure AD app.

      1. Log in with your email address and master password to access the new Admin Console at https://admin.lastpass.com.
      2. If prompted, complete steps for multifactor authentication (if it is enabled for your account).
      3. Select Applications > MFA Apps.
      4. If you have not previously added MFA apps, select Get started. Otherwise, select Add app in the upper-right navigation.
      5. Select Microsoft Azure AD > Save & continue.

      Save the integration key and integration secret.

      1. Optional: On another web browser window or tab, you can open your LastPass vault and create a new secure note for saving the integration key and integration secret.
      2. In the Set up integration window, copy and save the integration key to your clipboard, then paste it into your text editor application, that is the Client ID.
      3. Click Finish.
      4. Copy the JSON below and paste it into your text editor application. Replace < your unique Client ID > with the Client ID value you pasted earlier into your text editor application.

        {

        "AppId": "002a1c97-1381-4f73-a9c9-c049e8ef3a82",

        "ClientId": "<your unique Cliend ID>",

        "Controls": [

        {

        "ClaimsRequested": [{"Type": "amr","Value": "2fa","Values": null

        }],

        "Id": "LastPassIdentityMFALogin",

        "Name": " LastPass Identity MFA Login "

        }

        ],

        "DiscoveryUrl": "https://identity.lastpass.com/oauth/.well-known/openid-configuration",

        "Name": "LastPass Identity MFA"

        }

      Configure Conditional Access for Azure AD.

      1. Sign in to your Azure AD account at https://portal.azure.com.
      2. Go to Azure Active Directory > Security > Conditional Access.
      3. Select Custom controls.
      4. Select New custom control.
      5. Copy the JSON from Step #9 above, then paste it in the custom control window.
        Note: You must include your unique Client ID.
        New custom control in Azure AD portal
      6. Select Create > New Policy.
      7. Enter a name for your policy (for example, LastPass Multifactor Authentication).
      8. Select Users and groups, then select your desired users and groups (for example, All users).
        Assign users & groups in Azure AD portal
        Tip: To avoid being locked out as admin when setting Conditional Access, create a test AD group that does not include admins.
      9. Select Cloud apps or actions, then select the cloud application(s) for which you want to require Multifactor Authentication using the LastPass Authenticator app (for example, All cloud apps).
        Assign Cloud apps in Azure AD portal
      10. Under Access controls, select Grant.
      11. Select the Grant access option.
      12. Check the box to enable the LastPass Identity MFA Login option.
      13. When finished, click Select.
        Grant access in Azure AD portal
      14. Under the "Enable policy" section, toggle the switch to On.
        Important: If you want to edit or delete the integration later, disable conditional access on Azure before applying any changes in LastPass.
      15. Select Create.
        Enable policy in Azure AD portal

        Result: You have completed the setup steps in the Azure AD portal, and your users are now required to use the LastPass Authenticator app for authentication.

      Send the LastPass Authenticator app activation email to users.

      1. Send an activation email to all users who haven't already activated their account to use the LastPass Authenticator app (instructions here).

        Result: A new activation email is sent to all required users with instructions on how to activate passwordless authentication.

    Results: Going forward, when your users log in to Azure AD SSO with their Azure AD account password, they will be prompted to authenticate using the LastPass Authenticator app.
    LastPass Authenticator push notification on iOS
    Figure 1. iOS LastPass Authenticator push notification on iOS
    LastPass Authenticator push notification on Android
    Figure 2. Android LastPass Authenticator push notification on Android