What happens if I delete a provisioned user in LastPass?
It is highly advised that you do not delete users from LastPass that have been provisioned via Okta or Azure AD. However, if you have already deleted a user from LastPass, you can reassign them in the Okta portal in order to provision them again, but in Azure AD, you must recreate the LastPass app in the Azure AD portal and reconfigure the SCIM integration again.
If you delete a provisioned user in LastPass, Okta or Azure AD will not be able to find the user, and report an error. If you have set up federated login and delete a provisioned user in LastPass, the user will encounter an "Invalid password!" error when they attempt to log in to LastPass.
When Okta or Azure AD create a user in LastPass, a SCIM ID is assigned to that user. Once assigned, Okta or Azure AD reaches the user by the following url: scimapi/<companyid>/users/<scimid>. For example: scimapi/1234/users/345.
On the Okta side, this SCIM ID cannot be changed as it is unique to that user. If you delete and recreate a new LastPass user with the same email address, the new account would have another unique SCIM ID. This means that if you have deleted a user, you can provision them with LastPass again by reassigning them in Okta.
However, on the Azure AD side, the SCIM ID cannot be reassigned, and therefore the LastPass app must be recreated and reconfigured altogether in order to assign brand new SCIM IDs to users. If your LastPass account is configured to use federated login, you must reconfigure your federated login settings to match the required values of the new (recreated) LastPass app in Azure AD.
Depending on if you use Azure or Okta the instructions for reassigning will vary.
- Log in to the Okta or Azure AD admin portal.
- Follow the steps for reassigning users within Okta or Azure AD.
- The following is an overview of the steps to reassign users:
Reassign users for this provider Instructions Okta
- Remove the user from the assigned group or unassign the directly assigned user.
- Verify the account is disabled on the LastPass side (i.e., confirm if the user exists in LastPass).
- Add the user to the provisional group/ reassign the user directly.
- Verify the account is re-enabled on the LastPass side.
Note: For Azure AD, once you have created and configured a new LastPass app, you can force a sync via on-demand provisioning.
- Save the attribute mapping and group/user assignments.
- Delete the non-gallery LastPass app you created in Azure AD.
- Recreate non-gallery LastPass app with the proper attribute mapping.
- Recreate group/user assignments.
- If federated login was enabled, it should be configured again with the data of the recreated app.