Step #4: Policies & Reports

Review the various policies available for configuration, and oversee security performance using admin reporting.

Summary

LastPass Business accounts offer a number of configurable and recommended policies around security levels and password strength that you can add, edit, or delete as a LastPass admin.
Each policy can be applied to all users, or an inclusive or exclusive list of users. With over 100 policies available for you to add and configure, you can achieve the most optimal security performance with LastPass.
Add your desired policies and assign at least one test user to each.

Planning

Policies

Determine which policies are right for your organization, then view the detailed configurations for each by viewing a list of available policies (please note that you must be actively logged in to a LastPass Business in order to view).

Review the policy types available, including:

You can also review a full list of all available policies on the LastPass Policy page at https://lastpass.com/policy_doc.php.

Note: You must be actively logged in with a LastPass Business account in order to view the full list of policies available.

Testing by the Project Team

Add an advanced multifactor authentication policy for using biometrics (i.e., "Require extra authentication for LastPass Authenticator app") in the Admin Console and assign to at least one user for testing.
Add MFA Apps in the Admin Console to protect specific endpoints (SSO apps, workstations, VPNs, Identity Provider logins) with a second layer of security using the LastPass Authenticator app for your desired endpoints (if applicable).
Add contextual multifactor authentication policies and assign to at least one user for testing in the Admin Console, including configuration for any of the following:
- Define a Geofence via Green Zone and/or Red Zone
- Create an allowlist and/or denylist for IP addresses

Reports

You can review all report types available, including the following:

General
SSO app login activity
SAML response
MFA user activity
Restriction: This feature might not be available for your account as this is a legacy feature.
MFA admin activity
Restriction: This feature might not be available for your account as this is a legacy feature.

Parent article: LastPass MFA Deployment Guide

Previous article: Step #3: Configuration & Testing

Next article: Step #5: End User Communication