product icon
How do I convert an existing LastPass user to a federated (AD FS or PingFederate) user?

How do I convert an existing LastPass user to a federated (AD FS or PingFederate) user?

    Once you have set up federated login via Active Directory (using AD FS or PingFederate), you can use both the new Admin Console and the LastPass AD Connector to convert existing, non-federated users (i.e., user accounts existed before you set up federated login or defederated users whose accounts were previously federated) into federated user accounts without the risk of any data loss. Federated Users in the Admin Console
    About this task:

    As a best practice, it is recommended that you inform your non-federated users when their account will be converted to a federated status, as those users who are actively logged in to LastPass while their account is being migrated will be logged out once the migration process is complete. Once logged out, all newly federated users will be required to use their Active Directory credentials in order to log in to LastPass from now on. Additionally, an email notification is automatically sent to newly federated users that contains instructions for their new login experience going forward.

    • Converting existing users to a federated user status is only supported if the users are listed in the provisioning groups within the user group filter of the Sync settings for the LastPass AD Connector (instructions here) and were synced to LastPass via the LastPass AD Connector.
    • Users that were created manually or by another method are unable to be converted to federated users using the steps outlined below. For those existing users created by another method, make sure the users are part of the groups that are synced to LastPass via LastPass AD Connector.
    • Once the migration process has been started on the LastPass AD Connector, all active syncing will be paused, and will resume again after the migration process is complete.
    • If an existing (non-federated) LastPass Business user account has linked a personal account before they are migrated, the personal account will become unlinked during the migration process.
    • All federated users must always log in using a LastPass component (i.e., web browser extension, desktop app, or mobile app) in order to be redirected to your organization's Identity Provider (AD FS or PingFederate) sign in page. This means that logging in via your online web vault (via the LastPass website) at does not support federated login.
    Important: Make sure that you use the latest LastPass AD Connector (version 1.5.857 or newer).

    Step #1: Set up federated login for LastPass Business using AD FS or PingFederate

    Step #2: Select the users you want to convert in the Admin Console

    1. Log in to the Admin Console at
    2. Go to Users > Users.
    3. You can use the Search field or Filter users option to filter and select individual users.
    4. Select the users you want to add to Federated Login.
    5. Click More actions, then select Enable federated login.

      Result: Your selected users are now marked for conversion.

    Step #3: Migrate your selected users in the LastPass AD Connector

    1. Open the LastPass AD Connector and log in with your LastPass Business account.
    2. Select Federation in the left navigation.
    3. When ready, click Federate, and the progress of the migration is displayed.
    4. Once the migration is complete, a confirmation message is displayed that includes:
      • The total amount of selected users that were converted to a federated user status
      • The file path of the migration report in XML format
      Federation tab of LastPass AD Connector

    Step #4: Check federated user statuses in Admin Console

    Once the LastPass AD Connector displays that the migration is complete, return to the Admin Console to oversee the progress of your federated user migration.

    1. Log in to the Admin Console at
    2. Go to Users > Users.

      Result: The Federated Login status column displays the federated status of your users. For more information, view View user statuses in the new Admin Console.

    Results: Once all of your users have been migrated, your newly federated users will receive an email containing instructions on how they can log in using their federated account.