How do I convert an existing LastPass user to a federated (Azure AD, Okta, Google Workspace, PingOne, or OneLogin) user?

Once you have set up federated login via Azure AD, Okta, Google Workspace, PingOne, or OneLogin, you can use both the LastPass Admin Console and the Azure AD, Okta, Google Workspace, PingOne, or OneLogin portal to convert existing, non-federated users (i.e., user accounts that existed before you set up federated login or defederated users whose accounts were previously federated) into federated user accounts without the risk of any data loss.

Before you begin:

As a best practice, it is recommended that you inform your non-federated users when their account will be converted to a federated status, as those users who are actively logged in to LastPass while their account is being migrated will be logged out once the migration process is complete. Once logged out, all newly federated users will be required to use their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account in order to log in to LastPass from now on. Additionally, an email notification is automatically sent to newly federated users that contains instructions for their new login experience going forward.

Limitations:

Users can only be converted to a federated user if they are synchronized from Azure AD, Okta, Google Workspace, PingOne, or OneLogin – this means they must be assigned to the LastPass application in Azure AD, Okta, Google Workspace, PingOne, or OneLogin.
If an existing (non-federated) LastPass Business user account has linked a personal account before they are migrated, the personal account will be unlinked during the migration process. Once complete, the newly federated user can log in and link their personal account again.
All federated users must always log in using a LastPass component (i.e., web browser extension, desktop app, or mobile app) in order to be redirected to your organization's Identity Provider (Azure AD, Okta, Google Workspace, PingOne, or OneLogin) sign in page. This means that logging in to the online vault via the website at https://lastpass.com/?ac=1 does not support federated login.

About this task:

Follow the instructions that apply to you:

Step #1.5: Sync all users to your LastPass Business account

If there are users that already have an existing personal LastPass account (using their company email address) but they are not yet listed in your company's account, you will need to sync those users first, then the user will activate their LastPass Business account so that it is ready to be converted to use federated login.

Once synced, the end user can join their existing personal account with your company's account by clicking the activation link in their Welcome email.

The next time the user logs in to LastPass, they will be associated with your company's account and are ready to be converted to use federated login.

Step #2: Select the users you want to convert in the Admin Console

Log in to the Admin Console at https://admin.lastpass.com/.
Go to Users > Users.
You can use the Search field or Filter users option to filter and select individual users.
Select the users you want to add to Federated Login.
Click More actions, then select Enable federated login.

Results: Your selected users are now marked for conversion.

Step #3: Selected users must log in to re-encrypt their vault with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin

About this task: Users selected for conversion in Step #2 above must log in to LastPass to re-encrypt their vault with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account, as follows:

The user logs in with their existing username and master password via the LastPass browser extension only.
Upon logging in to LastPass, the user is redirected to their Azure AD, Okta, Google Workspace, PingOne, or OneLogin (Identity Provider) sign in page where they must sign in with their Active Directory account for their Identity Provider.
A progress bar is displayed to indicate that the user's LastPass vault is being re-encrypted with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account.
Once complete, the user must log in again (using the LastPass web browser extension).
The user is redirected to their company's federated login page (Identity Provider sign-in page), where they can finish signing in to LastPass using their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account credentials.

Results: The user's LastPass account is now activated to use federated login, and they will continue to use their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account credentials to access their LastPass vault. The newly converted federated login user(s) must use their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account to sign in to LastPass going forward.

Step #4: Check federated user statuses in new Admin Console

You can return to the new Admin Console to oversee the progress of your federated user migration by following the instructions here.

Results: Once all of your users have been migrated, your newly federated users will receive an email containing instructions on how they can log in using their federated account.

What to do next:

To see your end user's experience, please see Federated Login Experience for LastPass Business Users.
For additional help with troubleshooting, please see Troubleshooting Federated Login for Active Directory Federation Services (AD FS).