What's new in the LastPass Admin Console?

The main differences and improvements made in the new Admin Console for LastPass include:

An updated navigation to streamline how you access admin controls
Unified single sign-on, password management, and multifactor authentication controls
Simplified admin onboarding
New account statuses
Easier user management
Granular user details
Admin management center

What is the new navigation in the Admin Console?

The LastPass Admin Console navigation has been updated to dedicated tabs for Dashboard, Users, Applications, Policies, Reporting, and Advanced settings. All corresponding admin controls can be found under each of the respective six tabs. The goal of this navigation is to organize the admin controls in a more streamlined manner.

What is the value of having single sign-on, password management, and multifactor authentication controls in one unified view?

In previous versions of the LastPass Admin Console, single sign-on and multifactor authentication controls were in a separate view. Now, you can secure applications with single sign-on, store credentials with password management, and add an additional layer of security for every login with multifactor authentication – all from one centralized location.

What is the simplified admin onboarding experience?

The simplified admin onboarding experience is a tour of the New LastPass Admin Console, guiding new admins through all of the necessary steps to get up and running right away with their LastPass account. Admins are also guided through the steps for adding users, adding applications, setting policies, enabling multifactor authentication, and adding more admins to the account for ease of account management.

What improvements were made to the user management admin controls?

All users in your LastPass account – including those enabled to use single sign-on, password management, and multifactor authentication – are in a single list, which makes it easier to find specific users. Admins are also able to filter by the account statuses, search by name, and filter by MFA status.

What is the difference between the old admin console statues and the statuses?

Although calculations may seem inaccurate at first, they’ve simply been updated.

Status	Old	New	Notes
Staged	N/A	A user that has been added to the company but has not been sent an invitation yet.	While this status never existed in the old console, users do exist in this state. They are labeled as “Active” in the old console.
Invite Expired	N/A	A user that has been sent an invitation email, but the registration links have expired. Users with expired invitations need new invitations sent. Note: Registration links for accounts created by the admin expire after 90 days, while those that already exist outside of the company expire after 2 weeks	While this status never existed in the old console before, the expiration logic has always been there. Finally, admins can see which users need new invitations in the new console.
Invited	A user that has an account outside of the company (e.g. a personal user), and has been sent an invitation email to join the company.	A user that has been sent an invitation email, but the user has not yet activated.	Note that the old console definition excluded users who were created by the admin. In the old console, users who were created by the admin and received an invitation are considered “Active”. The new console makes this clearer by including users created by the admin as “Invited,” too. Therefore, this number in the new console may appear larger than expected.
Active	A user who consumes a license. Users who consume a license include those that have accepted invitations and who have been created by the admin but have not accepted invitations.	A user that has successfully logged in at least once as part of the company.	The old console considered users created by the admin but never enrolled as “Active” making the term a misnomer: how can a user be active if they’ve never registered? The new console only defines users who have successfully enrolled as “Active (logged in at least once as part of the company) Therefore, you may see some discrepancies between these two statuses. This is expected.
Disabled	A user is still part of your company account, but their access has been disabled by an admin.		This remains the same between consoles.
Awaiting Approval	A user has been added using the LastPass Active Directory Connector, which has been configured to add users as "pending" rather than automatically active.		This remains the same between consoles.

Why do I see a different number of users in each LastPass status between the new and old console?

By design, the new and old console define users differently, so the numbers will be different. You should expect the greatest disparity between the “Active” and “Invited” statuses as these changed the most. For most customers, the numbers for these statuses will likely show lower in the new console. However, the number of “Disabled” and “Awaiting approval” users should remain the same.

Let’s review an example:

Scenario	Old Admin Console	New Admin Console
30 users have successfully enrolled by registering and logging in as a member of the company 5 users were created by the admin and sent invitations but have not registered 5 users have accounts outside of the company and have been sent invitations but have not accepted Note: the 5 invited users in the old console refer to the 5 users who have accounts outside of the company as detailed above.	Active users = 35 Invited users = 5	Active users = 30 Invited users = 10

Scenario

Old Admin Console

New Admin Console

30 users have successfully enrolled by registering and logging in as a member of the company
5 users were created by the admin and sent invitations but have not registered
5 users have accounts outside of the company and have been sent invitations but have not accepted

Note: the 5 invited users in the old console refer to the 5 users who have accounts outside of the company as detailed above.

Active users = 35

Invited users = 5

Active users = 30

Invited users = 10

What improvements were made to user details?

Admins can edit all user details from the User’s page, and view granular user details including the user’s profile, account details, groups, assigned single sign-on apps, shared folders, policies, and more. This improvement offers admins much deeper insight into end users to more easily adjust security controls as needed.

What is the admin management center?

The admin management center is where you can manage all of the admins on your account from a single view. You can add, edit, and remove admins from one streamlined experience.

Why am I seeing a different number of Invited users in my old Admin Console versus the new Admin Console?

We’ve changed how we categorize Invited users in the new Admin Console. In the old Admin Console, Invited users meant these users had a LastPass account prior to being added to the company account, and they must accept the invitation in order to join the company account. In the new Admin Console, Invited users means the user has received a notification letting them know that their company has added them to the company LastPass account.

Why am I seeing a different number of Active users in my old Admin Console versus the new Admin Console?

We’ve changed how we categorize Active users in the new Admin Console. In the old Admin Console, an Active user status meant these users were consuming a paid license. In the new Admin Console, an Active user status is tied directly to the actions the user has taken. Active users are those who have taken an action to prove they know their LastPass account exists, and they have logged in as part of the company account.

What’s the difference between Passwordless Status and Enabled Multifactor?

Passwordless Status indicates a user’s passwordless login usage. Passwordless login can be leveraged for SSO apps and workstations by using an employee’s stored biometrics within the LastPass Authenticator app app instead of requiring users to enter their master password. Setting up and using passwordless login for SSO apps and workstations requires an account with the LastPass Business + Advanced MFA add-on, whereas passwordless login to access your vault is available for all LastPass account types.
Enabled Multifactor refers to the multifactor option your users have enabled after entering their master password to access their LastPass vault. We offer a wide range of options including the LastPass Authenticator app and several other third-party multifactor options. Setting up and using multifactor authentication is available for all LastPass account types.

Who can access the new and old console

Admin Type	Can access new console?	Can access old console?
Super Admin master password reset	Yes – All pages and functions	Yes – All pages and functions
Admin	Yes - All pages and functions except MP reset	Yes – All pages and functions except MP reset
Managed Service Provider (MSP) admin	Yes – Managed Companies page and functions	Yes – Managed Companies page and functions
"Grant limited access" policy users Note that an MSP admin can be such a user if this policy (with access level 5) has been enabled for them.	No – These users will see a 403 page if they attempt to access the new console. This admin type can access the old console directly via https://lastpass.com/company/?resetconsole=true#!/dashboard	Yes – As designated by the policy
Custom Role in old console	No – These users will see a 403 page if they attempt to access the new console. This admin type can access the old console directly via https://lastpass.com/company/?resetconsole=true#!/dashboard	Yes – As designated by the role
Custom admin level in new console	Yes – As designated by the admin level	No – These users will see a 403 page if they attempt to access the old console