Reset a user's master password (super admin)
LastPass admins can enable the "Permit super admins to reset master passwords" policy for their account to allow designated admins to reset a user's master password.
Once enabled, user accounts will be able to have their master passwords reset as long as they have logged in to the LastPass browser extension at least once.
Attention: The "Reset master password" option only becomes available after the selected user has logged out and logged back in using the LastPass browser extension (as login via the LastPass website at https://lastpass.com will not activate the "Reset master password" option for the admin). For more information about the encryption process, view What is the encryption process when a super admin resets a master password?
Restriction: If a user is assigned to a role in the old Admin Console, you cannot reset the user's master password in the new Admin Console. To reset the master password of a user with a role in the old Admin Console, remove the user from the role in the old Admin Console, and assign a custom admin level to the user in the new Admin Console.
In the new Admin Console
Enable the policy.
User activates the policy.
Review important information.
Reset the user's master password (as a Super Admin).
Results: You have reset your selected user's
master password.
In the old Admin Console
Results: You have reset your selected user's
master password.
What to do next:
Important: If you have been added as a super admin in your account's policies and do not see the "Super admin master password reset" option for a user, it may mean that the user has not yet logged out of their active LastPass session. You can force user log off, then advise them to log back in to their account via the LastPass browser extension (not the website). Once they have done so, you can refresh the User page in the Admin Console and try again.
Important: If your LastPass Business organization is using federated login to provision new users (using AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin), then the master password used to log into LastPass using their Identity Provider account is the password that is stored in their Identity Provider. If a federated user's master password is reset, it will convert them to a non-federated user status upon reset. Before the user can be re-federated, they must log in using their new master password. Learn how they can become a federated user again without the risk of data loss using AD FS or PingFederate or using Azure AD, Okta, Google Workspace, PingOne, or OneLogin.