Step #3: End users enroll the LastPass Authenticator app
Once your users are provisioned and synced with the LastPass AD Connector , they must enable and enroll theLastPass Authenticator app so that it can be used for multifactor authentication when they sign in to their workstation.
For this reason, we recommend that LastPass admins add the "Require any MFA option after grace period" general policy and assign these Workstation MFA users. When configuring the policy, you can specify the number of days your users have before they are required to enable and enroll the LastPass Authenticator app. This allows time for admins to prepare communications about these upcoming required changes to their users before Workstation MFA is installed/deployed.
- In the new Admin Console, add the "Require any MFA option after grace period" general policy as follows:
- Go to .
- Under Settings, click Edit policy settings.
- In the "Value" field, enter the number of days before multifactor authentication is required for your users. If desired, enter information into the "Notes" field.
- Select Save changes.
- Under Users, click Edit policy users and assign your desired users/groups.
- Select Save changes.
- You can notify your users that they will be required to enable and enroll the LastPass Authenticator app in their LastPass account before Workstation MFA is set up for their workstations.
- Review the LastPass Authenticator app enrollment status of your Workstation MFA users by doing the following:
- Go to .
- View the Enabled multifactor column for each user to confirm the LastPass Authenticator app is listed.
Troubleshooting: For those users still not enrolled, you can remind them that upon the end of their grace period they will be prompted to enroll upon their next login to LastPass.
- Before the end of the grace period, confirm that all Workstation MFA users have enabled the LastPass Authenticator app before proceeding to the next step in this process (otherwise those users will be locked out of their workstation).