HELP FILE

Step #2: Configure the Provisioning App for LastPass in Azure AD

    Once you have acquired the Connection URL and Provisioning Token, you will need to create the Provisioning App for LastPass and enter those values, as well as configure your group and user attributes.

    About this task: The steps below are performed in the Azure AD portal.
    • First, create the Provisioning App for LastPass.
      1. Log in to your Azure AD portal with your administrator account credentials at https://portal.azure.com.
      2. Go to Azure Active Directory > Enterprise Applications > New application.
      3. Click Create your own application.

        New application in Azure AD portal

      4. Enter a name for your Provisioning App (e.g., LastPass Provisioning App).

        Note: You can use the image below to upload as the App logo, if needed:

      5. Select the radio button for the Integrate any other application you don't find in the gallery option.
      6. Click Create.

        Create your own app in Azure AD portal

      7. Select Provisioning in the left navigation, then click Get Started.
      8. For Provisioning Mode, use the drop-down menu and select Automatic.
      9. Under Admin Credentials, do the following:
        • In the "Tenant URL" field, paste the Connection URL you copied from the LastPass Admin Console (from Step #5 in the previous article).
        • In the "Secret Token" field, paste the Provisioning Token you copied from the LastPass Admin Console (from Step #6 in the previous article).
      10. Click Test Connection to have Azure AD attempt to connect to your LastPass Admin Console.

        Troubleshooting: If the connection attempt fails, error information is displayed.

      11. Click Save to store the values in the Admin Credentials section.

    • Next, configure your group attribute mappings.
      1. Select Mappings in the new section (below Test Connection button).
      2. Select Provision Azure Active Directory Groups to configure group object mappings.
      3. Scroll down and check the box for Show advanced options.
      4. Click Edit attribute list for customappsso, then make the following selections:
        For this customappsso Group Attribute Name: Select these settings:
        id
        • Type = String
        • Check box for Primary Key?
        • Check box for Required?
        externalID
        • Type = String
        • Check box for Required?
        displayName
        • Type = String
        • Check box for Required?
        members
        • Type = Reference
        • Check box for Multi-Value?
        • Referenced Object Attribute = Use the drop-down menu and select the following:
          • urn:ietf:params:scim:schemas:core:2.0:Group
          • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
      5. Select Save > Yes and return to Attribute Mapping.

        Editing customappsso Group Attributes settings

    • Next, configure your user attribute mappings.
      1. Under Mappings, select Provision Azure Active Directory Users to configure user object mappings.

        Important: The "customappsso Attribute" value that maps to the userName configuration (i.e., the userPrincipalName as the Azure Active Directory Attribute Name, as shown in the table below) must contain a valid email address, as LastPass uses this value to email setup instructions to the user once they are provisioned.
        Note: You can also configure an alternate email address belonging to the User Principal Name (UPN) of a user. For more information, view How do I configure an alternate email as login ID instead of the default UPN?.

      2. View the default Azure Active Directory Attribute Mapping list, which will display the following (unless the attributes were previously adjusted):
        Azure Active Directory Attribute Name Default Configurations
        userPrincipalName
        • customappsso Attribute = userName
        • Matching precedence = 1
        Switch([IsSoftDeleted], ,"False", "True","True","False") customappsso Attribute = active
        displayName customappsso Attribute = displayName
        mailNickname customappsso Attribute = externalId

        Azure Active Directory Attribute mappings (default settings before updating)
        Figure 1. Azure Active Directory Attribute mappings (default settings before updating) Azure Active Directory Attribute mappings (default settings before updating)

      3. Scroll down and select the Show advanced options setting.
      4. Click Edit attribute list for customappsso, then make the following selections:
        For this customappsso User Attribute: Select these settings:
        id
        • Type = String
        • Check box for Primary Key?
        • Check box for Required?
        active Type = Boolean
        Troubleshooting: If the "active" attribute is missing from the list, please perform these troubleshooting steps.
        userName
        • Type = String
        • Check box for Required?
        externalID
        • Type = String
        • Check box for Required?


        Figure 2. Editing customappsso User Attributes settings
        Editing customappsso User Attributes settings

      5. Select Save > Yes > Save and return to Attribute Mapping.
    • Finalize the attribute mappings for users.
      1. In the Attribute Mappings section, under the Azure Active Directory Attribute table, make the following selections:
        For this Azure Active Directory Attribute Name: Select these customappsso Attribute settings:
        userPrincipalName
        1. Select userPrincipalName to open the Edit Attribute screen.
        2. Change the "Matching precedence" value from "1" to 2.
        3. Click OK.
        mailNickname
        1. Select mailNickname to open the Edit Attribute screen.
        2. Change the "Source attribute" value from "mailNickname" to objectId.
        3. For the "Match objects using this attribute" setting, select Yes.
        4. Change the "Matching precedence" value from "2" to 1.
        5. Click OK.
        userPrincipalName
        1. Select userPrincipalName to open the Edit Attribute screen once again.
        2. For the "Match objects using this attribute" setting, select No.
        3. Click OK.
    • Delete all other attribute mappings.
      1. Only the following required mappings should be present after deleting all other attributes, and must be configured correctly:
        Azure Active Directory Attribute Configured and Finalized Settings
        objectId
        • customappsso Attribute = externalId
        • Matching precedence = 1
        Switch([IsSoftDeleted], ,"False", "True","True","False") customappsso Attribute = active
        displayName customappsso Attribute = displayName
        userPrincipalName customappsso Attribute = userName

        Warning: You must delete all other attributes listed except for the four attributes listed above, otherwise you will encounter synchronization issues.
        Azure Active Directory Attribute mappings finalized
        Figure 3. Azure Active Directory Attribute mappings (final settings after updating) Azure Active Directory Attribute mappings finalized
        Note: You can also configure an alternate email address belonging to the User Principal Name (UPN) of a user. For more information, view How do I configure an alternate email as login ID instead of the default UPN?.

      2. Select Save > Yes and return to Attribute Mapping.
      3. Select Provisioning in the breadcrumb menu at the top.
      4. Select Settings then toggle the "Provisioning Status" switch to On.
      5. Click Save.

        Enable Provisioning in Azure AD

    • Enable requiring assignment.
      1. Navigate back to the Home directory at https://portal.azure.com/#home.
      2. Select Enterprise applications.
      3. Select LastPass Provisioning App.
      4. Select Properties.
      5. Set the Assignment required property to Yes.
      6. Select Save.

        Provisioning App setting Assignment required

    Results: You have created and configured your Provisioning app for LastPass and enabled synchronization for provisioning.
    Previous article: Step #1: Create a Provisioning Token and Capture the Connection URL in LastPass
    Next article: Step #3: Configure the Login App for LastPass in Azure AD