HELP FILE

Step #3: Configure the Login App for LastPass in Azure AD

    Create the Login App for LastPass, then capture both the Application ID and OpenID Connect metadata document values and then configure the API permissions for the app.

    The steps below are performed in the Azure AD portal.
    • Create the Login App for LastPass.
      1. In the Azure AD portal, navigate to your home directory at https://portal.azure.com/#home.
      2. Select App registrations > New registration.
      3. Enter a name for your Login App (e.g., LastPass Login App).
      4. Select the radio button for the Accounts in this organizational directory only setting.
      5. Click Register.
    • Now that you have created the Login App, capture the values needed for the LastPass Admin Console later.
      1. Copy the Application (client) ID by doing the following:
        1. With Overview selected in the left navigation, click Essentials to expand the section below.
        2. Copy the Application (client) ID and paste it into your text editor.

        Remember: You will be using this value in later steps.

      2. Copy the OpenID Connect metadata document by doing the following:
        1. With Overview still selected in the left navigation, select Endpoints to expand the menu on the right.
        2. Copy the OpenID Connect metadata document and paste it into your text editor.
        3. Close the menu in the right navigation.

        Remember: You will be using this value in later steps.

    • Configure authentication in the Login App for LastPass.
      1. Select Authentication in the left navigation.
      2. Click Add a platform.
      3. Select Web.

      4. In the "Redirect URIs" section, enter:

        https://lastpass.com/passwordreset.php

        If your account is in the EU, also enter

        https://lastpass.eu/passwordreset.php

      5. In the "Implicit grant" section, enable both of the following settings:
        • Access tokens
        • ID tokens
      6. Click Configure.

        Configure web settings in Azure AD

      7. Within the "Web" section under Redirect URIs, select Add URI.
      8. Enter the second Redirect URI as follows:

        https://accounts.lastpass.com/federated/oidcredirect.html

      9. Click Save.
    • Configure API permissions for the Login App for LastPass.
      1. Select API permissions in the left navigation.
      2. Click Add a permission, then select Microsoft Graph.

      3. In the right menu, select Delegated permissions.
      4. Under Select permissions, check the boxes to enable the following permission names:
        Permission Type Permission Name
        OpenId permissions
        • email
        • openid
        • profile

        User
        • User.Read
        • User.ReadWrite

      5. Click Add permissions.
      6. Click Grant admin consent for <your company name>.
      7. Click Yes to confirm.
    • Configure the Login App to allow federated login via the mobile app when conditional access policies are enforced (optional).
      1. Note: If your Azure AD environment does not have conditional access policies enforced, skip the instructions below and proceed to the Step #4 article because additional configuration is not needed.

      2. Navigate back to the Home directory at https://portal.azure.com/#home.
      3. Select App registrations.
      4. Select the Login App for LastPass.
      5. Select Authentication in the left navigation.
      6. Select Add a platform.
      7. Complete the setup for your desired platform(s):
        Platform Instructions
        iOS/macOS
        1. Select iOS/macOS.
        2. For the bundle ID value, enter:
          com.lastpass.ilastpass
        3. Select Configure.
        4. The redirect URI should be the following:
          msauth.com.lastpass.ilastpass://auth
        Android
        1. Select Android.
        2. For the package name value, enter:
          com.lastpass.lpandroid
        3. For the signature hash value, enter:
          Nj4J6bdFV874uA0vAgoHGeD4ip0=
      8. Select Save when finished.

        Important: You must also complete Step #5 (in the next article) in order to enable support for federated login via mobile with conditional access policies enforced.

    You have created and configured the Login App for LastPass (including API permissions), as well as captured both the Application ID and OpenID Connect values for later use. Grant admin consent for the LastPass Login app