Create the Login App for LastPass, then capture both the Application ID and OpenID Connect metadata document values and then configure the API permissions for the app.

Create the Login App for LastPass.

1. In the Azure AD portal, navigate to your home directory at https://portal.azure.com/#home.
2. Select App registrations > New registration.
3. Enter a name for your Login App (e.g., LastPass Login App).
4. Select the radio button for the Accounts in this organizational directory only setting.
5. Click Register.

Now that you have created the Login App, capture the values needed for the LastPass Admin Console later.

6. Copy the Application (client) ID by doing the following:
   1. With Overview selected in the left navigation, click Essentials to expand the section below.
   2. Copy the Application (client) ID and paste it into your text editor.
   Remember: You will be using this value in later steps.
   
7. Copy the OpenID Connect metadata document by doing the following:
   1. With Overview still selected in the left navigation, select Endpoints to expand the menu on the right.
   2. Copy the OpenID Connect metadata document and paste it into your text editor.
   3. Close the menu in the right navigation.
   Remember: You will be using this value in later steps.
   

Configure authentication in the Login App for LastPass.

8. Select Authentication in the left navigation.
9. Click Add a platform.
10. Select Web.
    
11. In the "Redirect URIs" section, enter:

    https://lastpass.com/passwordreset.php

    If your account is in the EU, also enter

    https://lastpass.eu/passwordreset.php

12. In the "Implicit grant" section, enable both of the following settings:
    • Access tokens
    • ID tokens
13. Click Configure.
    
14. Within the "Web" section under Redirect URIs, select Add URI.
15. Enter the second Redirect URI as follows:

    https://accounts.lastpass.com/federated/oidcredirect.html

16. Click Save.

Configure API permissions for the Login App for LastPass.

17. Select API permissions in the left navigation.
18. Click Add a permission, then select Microsoft Graph.
    
19. In the right menu, select Delegated permissions.
20. Under Select permissions, check the boxes to enable the following permission names:

    Permission Type	Permission Name
    OpenId permissions	email openid profile
    User	User.Read User.ReadWrite

21. Click Add permissions.
22. Click Grant admin consent for <your company name>.
23. Click Yes to confirm.

Enable requiring assignment.

24. Navigate back to the Home directory at https://portal.azure.com/#home.
25. Select Enterprise applications.
26. Select LastPass Login App.
27. Select Properties.
28. Set the Assignment required property to Yes.
29. Select Save.
    

Optional: Configure the Login App to allow federated login via the mobile app when conditional access policies are enforced.

30. Navigate back to the Home directory at https://portal.azure.com/#home.
    Note: If your Azure AD environment does not have conditional access policies enforced, skip the instructions below and proceed to the Step #4 article because additional configuration is not needed.
31. Select App registrations.
32. Select the Login App for LastPass.
33. Select Authentication in the left navigation.
34. Select Add a platform.
35. Complete the setup for your desired platform(s):

    Platform	Instructions
    iOS/macOS	Select iOS/macOS. For the bundle ID value, enter: com.lastpass.ilastpass Select Configure. The redirect URI should be the following: msauth.com.lastpass.ilastpass://auth
    Android	Select Android. For the package name value, enter: com.lastpass.lpandroid For the signature hash value, enter: Nj4J6bdFV874uA0vAgoHGeD4ip0=

36. Select Save when finished.
    Important: You must also complete Step #5 (in the next article) in order to enable support for federated login via mobile with conditional access policies enforced.

Results: You have created and configured the Login App for LastPass (including API permissions), as well as captured both the Application ID and OpenID Connect values for later use.