product icon

How do I defederate and refederate users?

    You can defederate and refederate your federated users to increase their security by re-encrypting their vault.

    About this task: To defederate and refederate your users, perform the following instructions:
    1. Defederate your federated users in the LastPass new Admin Console.
    2. Refederate your users.
    3. Perform one of the following set of instructions depending on your federation service:
      • For Azure AD, Okta, Google Workspaces, PingOne or OneLogin: Users selected for federated login must log in to re-encrypt their vault.
      • For AD FS or PingFederate: Migrate your selected users in the LastPass AD Connector.
    4. Check federated user statuses.

    Step #1: Defederate your federated users in the LastPass new Admin Console

    About this task:
    Attention: The "Reset master password" option only becomes available after the selected user has logged out and logged back in using the LastPass browser extension (as login via the LastPass website at https://lastpass.com will not activate the "Reset master password" option for the admin). For more information about the encryption process, view What is the encryption process when a super admin resets a master password?
      1. Enable the "Permit super admins to reset master passwords" policy.
      2. User logs in via the LastPass browser extension, that activates the policy in Step #1 above.
        Note: At this point during the process, the listed super admin will have the option in the new Admin Console to reset the master password for their selected user.

      • Review important information.

      1. Before proceeding, please be aware of the following:
        Warning: When you reset a user's master password, any linked personal LastPass account of the user will automatically become de-linked from their company LastPass account. If desired, the user can link their personal account again.
        Note: A super admin can select Disable federated login for users who have the Selected federated status. These users will have to use their previous master password to log in using the LastPass browser extension after they are re-federated in Step #3 below. The LastPass vault of these users is not re-encrypted when they are re-federated as their master password is not changed.

      Reset the user's master password (as a Super Admin).

      1. Log in with your email address and master password to access the new Admin Console at https://admin.lastpass.com.
      2. If prompted, complete steps for multifactor authentication (if it is enabled for your account).
      3. Go to Users > User.
      4. Select the user you want to defederate.
      5. Select Reset master password.
        Reset a user's master password in new Admin Console
      6. When prompted, enter your own master password then select Submit.
      7. Enter a new master password for the user, then re-enter to confirm.
        Important: The new master password you defined is not saved anywhere by default, so LastPass recommends to save it somewhere until you share it with the related user.
      8. Optional: If desired, select Change the user's email and enter a new email address then re-enter to confirm (which will update their LastPass username).
      9. Optional: If desired, uncheck the Force password change on next login setting to disable it (this setting is enabled by default for security best practices).
      10. Click Close when finished.
    Results: You have de-federated your selected user.
    What to do next: In case of a company wide refederation, update the company-wide K1 by performing one of the following set of instructions based on your selected provider:

    Step #2: Refederate your users

    1. Log in to the new Admin Console at https://admin.lastpass.com/.
    2. Go to Users > Users.
      Tip: In the old Admin Console under Settings > Federated Login > Federated user you can also select groups for re-federation if you need to work with a large number of users. If you don’t have a group for federated users, consider creating one to simplify mass operations. For more information about groups, view adding and managing LastPass Business Groups.
    3. You can use the Search field or Filter users option to filter for Not federated user status and select individual users.
    4. Select the users you want to add to Federated Login.
      Enabling federated login for users
    5. Click More actions, then select Enable federated login.
    Results: Your selected users are now marked for conversion.

    Step #3: Perform one of the following set of instructions depending on your federation service

    • For Azure AD, Okta, Google Workspaces, PingOne or OneLogin: Users selected for federated login must log in to re-encrypt their vault.
    • For AD FS or PingFederate: Migrate your selected users in the LastPass AD Connector.

    Users selected for federated login must log in to re-encrypt their vault with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin

    About this task: Users selected for conversion in Step #2 above and with the Selected status must log in to LastPass to re-encrypt their vault with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account, as follows:
    1. The user logs in with their existing username and master password via the LastPass browser extension only.
    2. Upon logging in to LastPass, the user is redirected to their Azure AD, Okta, Google Workspace, PingOne, or OneLogin (Identity Provider) sign in page where they must sign in with their Active Directory account for their Identity Provider.
    3. A progress bar is displayed to indicate that the user's LastPass vault is being re-encrypted with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account.
    4. Once complete, the user must log in again (using the LastPass web browser extension).
    5. The user is redirected to their company's federated login page (Identity Provider sign-in page), where they can finish signing in to LastPass using their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account credentials.
    Results: The user's LastPass account is now activated to use federated login, and they will continue to use their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account credentials to access their LastPass vault. The newly converted federated login user(s) must use their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account to sign in to LastPass going forward.

    Migrate your selected users in the LastPass AD Connector for AD FS or PingFederate

    1. Open the LastPass AD Connector and log in with your LastPass Business account as a super admin.
    2. Select Migration in the left navigation.
    3. When ready, click Migrate, and the progress of the migration is displayed.
    4. Once the migration is complete, a confirmation message is displayed that includes:
      • The total amount of selected users that were converted to a federated user status
      • The file path of the migration report in XML format
      Migration tab of LastPass AD Connector

    Step #4: Check federated user statuses in new Admin Console

    You can return to the new Admin Console to oversee the progress of your federated user migration by viewing federated statuses.

    Results: Once all of your users have been migrated, your newly federated users will receive an email containing instructions on how they can log in using their federated account.