HELP FILE

How do I set up LastPass MFA for Microsoft AD FS?

    To begin the setup process for using LastPass MFA for Microsoft AD FS as a LastPass Business admin, you must first provision your users via the LastPass AD Connector, then require those users to set up the LLastPass Authenticator to protect their vaults. Next, configure the LastPass AD FS MFA installer and distribute the MSI package to your AD FS server farm.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
    Before you begin:

    System requirements:

    • The LastPass AD FS integration supports AD FS on Windows Server 2016 and 2019.
    Important:

    Before starting the deployment steps, familiarize yourself with passwordless login administration and verify that your AD FS Server is functional and working with all relying party applications.

    End users are required to have an active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator for multifactor authentication to protect their vault.

    Step #1: Set up the LastPass AD Connector

    The LastPass AD Connector must be installed and set up to provision your LastPass users, which will allow to keep user database (attributes, states, and so on) in sync between LastPass and the Active Directory.

    To get started, see Set up the LastPass Active Directory Connector.

    Step #2: End users set up the LastPass Authenticator

    Once your users are provisioned via the LastPass AD Connector, they must enable and enroll the LastPass Authenticator to use for multifactor authentication to protect their LastPass vault.

    Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator the next time they log in to LastPass (for more information, see How do I manage general policies in the new Admin Console?).

    Instruct your end users to follow the steps to enable and enroll the LastPass Authenticator as their multifactor option for their LastPass vault.

    Step #3: Prepare the LastPass AD FS integration installer package

    Download the MSI installer package from the new Admin Console, then configure it with your designated integration key and integration secret so that it can be distributed to your AD FS farm.

    Follow the steps to download and configure LastPass MFA for Microsoft AD FS.

    Step #4: Distribute the LastPass AD FS integration to all your AD FS servers

    Once configured, you can distribute the MSI installer (setup.msi).

    Setup is complete

    You successfully deployed LastPass MFA for Microsoft AD FS to your users.
    What to do next: Inform your users that the next time they log in to any relying party apps through AD FS, they will see a LastPass MFA prompt after they entered their AD credentials. In order to finish the authentication process users are prompted on their mobile device to authenticate via the LastPass Authenticator app. Once authenticated, they are logged in to their Windows user account.