HELP FILE

If I change my company's domain, how do I make sure my LastPass users are updated?

If I change my company's domain, how do I make sure my LastPass users are updated?

    If you have a LastPass Business account and plan on changing your company's domain, you will want your users' email addresses to reflect the new domain.

    Important: Please be aware that it is not possible for LastPass Support to change the username/email address of a LastPass account; the master password is required to re-encrypt the user's LastPass vault, and the master password is never known to LastPass because we support a zero-knowledge security model.

    Users that were manually added to LastPass

    For users that were manually added to a LastPass account, they can update their email addresses manually within the Account Settings of their LastPass user account (instructions here).

    Users that were added via automated provisioning

    If you are a LastPass admin and have added your LastPass users via automated provisioning (i.e., LastPass AD Connector, Azure, Okta, Okta Hybrid, Google Workspace, PingOne, OneLogin, Provisioning API), you can update your users' email addresses in two different ways (listed below as Option #1 and Option #2).

    Restriction: Automatic email changes are not supported for users provisioned by Federated Login using AD FS (both the traditional and simplified versions) or PingFederate. This means that a LastPass admin must manually change the email addresses of these users using Option #1 below.

    Option #1: Update each user manually within the Admin Console

    If you are an admin with the "Permit super admins to reset master passwords" policy enabled, you can choose to change each user's LastPass email address manually.

    Attention: In order to make this change, you are required to manually reset the user's master password.
    1. Log in with your email address and master password to access the new Admin Console at https://admin.lastpass.com.
    2. If prompted, complete steps for multifactor authentication (if it is enabled for your account).
    3. Select Users in the top toolbar.
    4. Check the box next to your desired user.
    5. Click Reset Master Password.
    6. Click OK.
    7. Enter your own master password, then click Submit.
    8. Click Change the user's email.
    9. Enter a new master password for this user, then re-enter to confirm it. This is required.
    10. Enter the new email address, then re-enter to confirm it.

      Tip: If you do not want to force the user to change their master password, uncheck the Force password change on next login option (checked by default).

    11. Click Submit.

      Change email and Master Password for user

    Results: You have manually updated your selected user's email address and reset their master password.
    What to do next: The user can now log in to LastPass using their updated email address and the master password you set for them (or if you enabled the setting to force password change, they will be prompted to change their master password upon their next login).

    Option #2: Update automatically and force user action

    As a LastPass admin, you can update your user objects with the new email domain as the email attribute value. This will trigger an email notification to be sent to your users.

    Please note that automatic email changes for this option are supported for users provisioned in the following ways, and the user experience will vary (as shown below):
    • Active Directory integration – Using the LastPass AD Connector, SCIM Provisioning via Azure AD, Okta, OneLogin, and PingOne
    • Federated login implementation – Using Azure, Okta, Okta Hybrid (which requires the LastPass AD Connector), Google Workspace and PingOne
      Restriction: Automatic email changes are not supported for users provisioned by Federated Login using AD FS (both the traditional and simplified versions) or PingFederate. This means that a LastPass admin must manually change the email addresses of these users using Option #1 above.

    User experience for users provisioned via Active Directory integration

    1. User receives an email indicating that their LastPass email address has changed.

      Email changed notification

    2. User logs in to the LastPass browser extension with their current email address and Master Password.

      Attention:  Email changes can only be made using the LastPass browser extension.

    3. When prompted to confirm the email change, the user must enter their master password and click Confirm.
    Results: The user has successfully completed the email change.
    Confirm email change

    User experience for users provisioned via federated login implementation

    1. The user receives an email indicating that their LastPass email address has changed.
    2. The user enters their current email address.

      Result: The user is recognized as a federated login user, and the "master password" field disappears.

    3. The user clicks Log In.

      Federated Login User - Login screen

      Result: The user is redirected to their company's sign-in page.

    4. The user enters their company credentials, then proceeds to sign in.
    5. On the "Confirm email change" screen, the user's email address is pre-populated, and they click Confirm.

      Result: The user's vault is re-encrypted with the new email address.

    6. The user clicks the inactive LastPass icon in their toolbar, then enters their updated email address.

      Result: The user is recognized as a federated login user, and the "master password" field disappears.

    7. The user clicks Log In.

      Result: The user is redirected to their company's sign-in page again.

    8. The user enters their company credentials, then proceeds to sign in.
    Results: The user has successfully completed the email change, and an active LastPass icon is now displayed in their web browser toolbar.