Hi! We are here to help you.

Once you have acquired the Connection URL and Provisioning Token, you will need to create the Provisioning App for LastPass and enter those values, as well as configure your group and user attributes.

• First, create the Provisioning App for LastPass.
  1. Log in to your Azure AD portal with your administrator account credentials at https://portal.azure.com.
  2. Go to Azure Active Directory > Enterprise Applications > New application.
  3. Click Create your own application.

     

  4. Enter a name for your Provisioning App (e.g., LastPass Provisioning App).
     Note: You can use the image below to upload as the App logo, if needed:

     

  5. Select the radio button for the Integrate any other application you don't find in the gallery option.
  6. Click Create.

     

  7. Select Provisioning in the left navigation, then click Get Started.
  8. For Provisioning Mode, use the drop-down menu and select Automatic.
  9. Under Admin Credentials, do the following:
     • In the "Tenant URL" field, paste the Connection URL you copied from the LastPass Admin Console (from Step #5 in the previous article).
     • In the "Secret Token" field, paste the Provisioning Token you copied from the LastPass Admin Console (from Step #6 in the previous article).
  10. Click Test Connection to have Azure AD attempt to connect to your LastPass Admin Console.
      Troubleshooting: If the connection attempt fails, error information is displayed.

  11. Click Save to store the values in the Admin Credentials section.

      

• Next, configure your group attribute mappings.
  12. Select Mappings in the new section (below Test Connection button).
  13. Select Provision Azure Active Directory Groups to configure group object mappings.
  14. Scroll down and check the box for Show advanced options.
  15. Click Edit attribute list for customappsso, then make the following selections:

      For this customappsso Group Attribute Name:	Select these settings:
      id	Type = String Check box for Primary Key? Check box for Required?
      externalID	Type = String Check box for Required?
      displayName	Type = String Check box for Required?
      members	Type = Reference Check box for Multi-Value? Referenced Object Attribute = Use the drop-down menu and select the following: urn:ietf:params:scim:schemas:core:2.0:Group urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

  16. Select Save > Yes and return to Attribute Mapping.

      

• Next, configure your user attribute mappings.
  17. Under Mappings, select Provision Azure Active Directory Users to configure user object mappings.
      Restriction: These setup instructions do not support configurations where the userPrincipalName and the email address are different.
      Important: The "customappsso Attribute" value that maps to the userName configuration (i.e., the userPrincipalName as the Azure Active Directory Attribute Name, as shown in the table below) must contain a valid email address, as LastPass uses this value to email setup instructions to the user once they are provisioned.

  18. View the default Azure Active Directory Attribute Mapping list, which will display the following (unless the attributes were previously adjusted):

      Azure Active Directory Attribute Name	Default Configurations
      userPrincipalName	customappsso Attribute = userName Matching precedence = 1
      Switch([IsSoftDeleted], ,"False", "True","True","False")	customappsso Attribute = active
      displayName	customappsso Attribute = displayName
      mailNickname	customappsso Attribute = externalId

      
      Figure 1. Azure Active Directory Attribute mappings (default settings before updating) Azure Active Directory Attribute mappings (default settings before updating)

  19. Scroll down and select the Show advanced options setting.
  20. Click Edit attribute list for customappsso, then make the following selections:

      For this customappsso User Attribute:	Select these settings:
      id	Type = String Check box for Primary Key? Check box for Required?
      active	Type = Boolean Troubleshooting: If the "active" attribute is missing from the list, please perform these troubleshooting steps.
      userName	Type = String Check box for Required?
      externalID	Type = String Check box for Required?

      
      Figure 2. Editing customappsso User Attributes settings
      

  21. Select Save > Yes > Save and return to Attribute Mapping.
• Finalize the attribute mappings for users.
  22. In the Attribute Mappings section, under the Azure Active Directory Attribute table, make the following selections:

      For this Azure Active Directory Attribute Name:	Select these customappsso Attribute settings:
      userPrincipalName	Select userPrincipalName to open the Edit Attribute screen. Change the "Matching precedence" value from "1" to 2. Click OK.
      mailNickname	Select mailNickname to open the Edit Attribute screen. Change the "Source attribute" value from "mailNickname" to objectId. For the "Match objects using this attribute" setting, select Yes. Change the "Matching precedence" value from "2" to 1. Click OK.
      userPrincipalName	Select userPrincipalName to open the Edit Attribute screen once again. For the "Match objects using this attribute" setting, select No. Click OK.

• Delete all other attribute mappings.
  23. Only the following required mappings should be present after deleting all other attributes, and must be configured correctly:

      Azure Active Directory Attribute	Configured and Finalized Settings
      objectId	customappsso Attribute = externalId Matching precedence = 1
      Switch([IsSoftDeleted], ,"False", "True","True","False")	customappsso Attribute = active
      displayName	customappsso Attribute = displayName
      userPrincipalName	customappsso Attribute = userName

      Warning: You must delete all other attributes listed except for the four attributes listed above, otherwise you will encounter synchronization issues.
      
      Figure 3. Azure Active Directory Attribute mappings (final settings after updating) Azure Active Directory Attribute mappings finalized
      Note:

      You can also configure an alternate email address (called "alternate login ID" in Azure terminology) belonging to the User Principal Name (UPN) of a user. This requires no additional user mapping. Please review the related Microsoft documentation. A summary of the steps required to enable email as an alternate login in Azure AD is provided here:

      1. Sign in as a global administrator to your Azure portal.
      2. Go to Azure Active Directory.
      3. On the left-hand side, click Azure AD Connect, then Email as alternate login ID on the main page.
         

         Image source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin#enable-user-sign-in-with-an-email-address

      4. Select the Email as alternate login ID checkbox to activate email as an alternate login ID.
         

         Image source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin#enable-user-sign-in-with-an-email-address

      5. Click Save.

      You may also have additional tasks to complete depending on when you added the alternate login IDs to your users on your Azure AD tenant. If you added the alternate login IDs before configuring them with LastPass, then they will be part of the provisioning process. However, if your LastPass configuration had already existed when you added the alternate login IDs, then you must start over from the beginning of the provisioning process so that the alternate login IDs will be carried over during configuration.

  24. Select Save > Yes and return to Attribute Mapping.
  25. Select Provisioning in the breadcrumb menu at the top.
  26. Select Settings then toggle the "Provisioning Status" switch to On.
  27. Click Save.

      

You have created and configured your Provisioning app for LastPass and enabled synchronization for provisioning.