HELP FILE

Step #2: Configure the Provisioning App for LastPass in Azure AD

    Once you have acquired the Connection URL and Provisioning Token, you will need to create the Provisioning App for LastPass and enter those values, as well as configure your group and user attributes.

    The steps below are performed in the Azure AD portal.
    • First, create the Provisioning App for LastPass.
      1. Log in to your Azure AD portal with your administrator account credentials at https://portal.azure.com.
      2. Go to Azure Active Directory > Enterprise Applications > New application.
      3. Click Create your own application.

        New application in Azure AD portal

      4. Enter a name for your Provisioning App (e.g., LastPass Provisioning App).

        Note: You can use the image below to upload as the App logo, if needed:

      5. Select the radio button for the Integrate any other application you don't find in the gallery option.
      6. Click Create.

        Create your own app in Azure AD portal

      7. Select Provisioning in the left navigation, then click Get Started.
      8. For Provisioning Mode, use the drop-down menu and select Automatic.
      9. Under Admin Credentials, do the following:
        • In the "Tenant URL" field, paste the Connection URL you copied from the LastPass Admin Console (from Step #5 in the previous article).
        • In the "Secret Token" field, paste the Provisioning Token you copied from the LastPass Admin Console (from Step #6 in the previous article).
      10. Click Test Connection to have Azure AD attempt to connect to your LastPass Admin Console.

        Troubleshooting: If the connection attempt fails, error information is displayed.

      11. Click Save to store the values in the Admin Credentials section.

    • Next, configure your group attribute mappings.
      1. Select Mappings in the new section (below Test Connection button).
      2. Select Provision Azure Active Directory Groups to configure group object mappings.
      3. Scroll down and check the box for Show advanced options.
      4. Click Edit attribute list for customappsso, then make the following selections:
        For this customappsso Group Attribute Name: Select these settings:
        id
        • Type = String
        • Check box for Primary Key?
        • Check box for Required?
        externalID
        • Type = String
        • Check box for Required?
        displayName
        • Type = String
        • Check box for Required?
        members
        • Type = Reference
        • Check box for Multi-Value?
        • Referenced Object Attribute = Use the drop-down menu and select the following:
          • urn:ietf:params:scim:schemas:core:2.0:Group
          • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
      5. Select Save > Yes and return to Attribute Mapping.

        Editing customappsso Group Attributes settings

    • Next, configure your user attribute mappings.
      1. Under Mappings, select Provision Azure Active Directory Users to configure user object mappings.

        Restriction: These setup instructions do not support configurations where the userPrincipalName and the email address are different.

        Important: The "customappsso Attribute" value that maps to the userName configuration (i.e., the userPrincipalName as the Azure Active Directory Attribute Name, as shown in the table below) must contain a valid email address, as LastPass uses this value to email setup instructions to the user once they are provisioned.

      2. View the default Azure Active Directory Attribute Mapping list, which will display the following (unless the attributes were previously adjusted):
        Azure Active Directory Attribute Name Default Configurations
        userPrincipalName
        • customappsso Attribute = userName
        • Matching precedence = 1
        Switch([IsSoftDeleted], ,"False", "True","True","False") customappsso Attribute = active
        displayName customappsso Attribute = displayName
        mailNickname customappsso Attribute = externalId

        Azure Active Directory Attribute mappings (default settings before updating)
        Figure 1. Azure Active Directory Attribute mappings (default settings before updating) Azure Active Directory Attribute mappings (default settings before updating)

      3. Scroll down and select the Show advanced options setting.
      4. Click Edit attribute list for customappsso, then make the following selections:
        For this customappsso User Attribute: Select these settings:
        id
        • Type = String
        • Check box for Primary Key?
        • Check box for Required?
        active Type = Boolean
        Troubleshooting: If the "active" attribute is missing from the list, please perform these troubleshooting steps.
        userName
        • Type = String
        • Check box for Required?
        externalID
        • Type = String
        • Check box for Required?


        Figure 2. Editing customappsso User Attributes settings
        Editing customappsso User Attributes settings

      5. Select Save > Yes > Save and return to Attribute Mapping.
    • Finalize the attribute mappings for users.
      1. In the Attribute Mappings section, under the Azure Active Directory Attribute table, make the following selections:
        For this Azure Active Directory Attribute Name: Select these customappsso Attribute settings:
        userPrincipalName
        1. Select userPrincipalName to open the Edit Attribute screen.
        2. Change the "Matching precedence" value from "1" to 2.
        3. Click OK.
        mailNickname
        1. Select mailNickname to open the Edit Attribute screen.
        2. Change the "Source attribute" value from "mailNickname" to objectId.
        3. For the "Match objects using this attribute" setting, select Yes.
        4. Change the "Matching precedence" value from "2" to 1.
        5. Click OK.
        userPrincipalName
        1. Select userPrincipalName to open the Edit Attribute screen once again.
        2. For the "Match objects using this attribute" setting, select No.
        3. Click OK.
    • Delete all other attribute mappings.
      1. Only the following required mappings should be present after deleting all other attributes, and must be configured correctly:
        Azure Active Directory Attribute Configured and Finalized Settings
        objectId
        • customappsso Attribute = externalId
        • Matching precedence = 1
        Switch([IsSoftDeleted], ,"False", "True","True","False") customappsso Attribute = active
        displayName customappsso Attribute = displayName
        userPrincipalName customappsso Attribute = userName

        Warning: You must delete all other attributes listed except for the four attributes listed above, otherwise you will encounter synchronization issues.

        Azure Active Directory Attribute mappings finalized
        Figure 3. Azure Active Directory Attribute mappings (final settings after updating) Azure Active Directory Attribute mappings finalized
        Note:

        You can also configure an alternate email address (called "alternate login ID" in Azure terminology) belonging to the User Principal Name (UPN) of a user. This requires no additional user mapping. Please review the related Microsoft documentation. A summary of the steps required to enable email as an alternate login in Azure AD is provided here:

        1. Sign in as a global administrator to your Azure portal.
        2. Go to Azure Active Directory.
        3. On the left-hand side, click Azure AD Connect, then Email as alternate login ID on the main page.
        4. Select the Email as alternate login ID checkbox to activate email as an alternate login ID.
        5. Click Save.

        You may also have additional tasks to complete depending on when you added the alternate login IDs to your users on your Azure AD tenant. If you added the alternate login IDs before configuring them with LastPass, then they will be part of the provisioning process. However, if your LastPass configuration had already existed when you added the alternate login IDs, then you must start over from the beginning of the provisioning process so that the alternate login IDs will be carried over during configuration.

      2. Select Save > Yes and return to Attribute Mapping.
      3. Select Provisioning in the breadcrumb menu at the top.
      4. Select Settings then toggle the "Provisioning Status" switch to On.
      5. Click Save.

        Enable Provisioning in Azure AD

    You have created and configured your Provisioning app for LastPass and enabled synchronization for provisioning.