Contact form 1

Your Name (required)

[text* your-name]

Your Email (required)

[email* your-email]


[text your-subject]

Your Message

[textarea your-message]

[submit "Send"]

From: [your-name] <[your-email]>
Subject: [your-subject]

Message Body:

This e-mail was sent from a contact form on Enterprise Manual (
Reply-To: [your-email]


Enterprise Manual
Message Body:

This e-mail was sent from a contact form on Enterprise Manual (

Your message was sent successfully. Thanks.
Failed to send your message. Please try later or contact the administrator by another method.
Validation errors occurred. Please confirm the fields and submit it again.
Failed to send your message. Please try later or contact the administrator by another method.
Please accept the terms to proceed.
Please fill in the required field.
This input is too long.
This input is too short.

1. Introduction

Getting Started

[accordion openfirst=false scroll=true clicktoclose=true]

Getting started with LastPass Enterprise requires a few easy steps:

  1. Sign up for a free 14-day trial.

  2. Create a LastPass account or use an existing one.

  3. Once you complete the Enterprise trial form, the Enterprise features will be activated for that LastPass account.

  4. You can add up to 10 more users to your trial.

[accordion-item title="Getting Started Implementation Guide" id="0"]

Implementation Guide

Click here for a step by step guide to implementing LastPass Enterprise: Implementation Guide.

[accordion-item title="Choosing which LastPass Account to Use" id="1"]

'Enterprise' is a set of features that can be activated on any new or existing account. New Enterprise users often wonder whether to use their existing personal account, or to create a new account for professional purposes. Here are the options:

    1. Using separate accounts for personal and professional use. This is the only way to ensure that you will never lose your personal data if/when you leave the enterprise. For a more seamless experience, you can link the two accounts behind your single enterprise login. If you do choose to link your personal account, it is important to note that the logins from your personal account will never be reported in the Enterprise logs. Once you have linked a personal account, you can migrate entries from your personal account to your enterprise account. We highly recommend you use this approach.

    2. The other option is to use a single account for both personal and professional data. This approach will ultimately give your employer control over the termination of the account, and we do not recommend this approach in most cases. The administrator of the account has the ability to 'remove user from company',  which allows you to preserve your data and to continue using LastPass as a standard user. But they can also 'delete' the account, which will delete the account in its entirety including all personal logins that you may have saved.

[accordion-item title="Adding Users to Your Trial" id="2"]

Once you are in trial, you can invite other employees to the trial by email. After logging into the Admin dashboard, please click on Setup >> Create New User and enter in the email addresses of the employees you wish to invite.

An account will be created for them with a temporary password. They will receive a welcome email with instructions on how to reset their password and get started. If the user's email address is already associated with a LastPass account, they will be sent an email with an activation URL.

[accordion-item title="Purchasing LastPass Enterprise" id="3"]

You must be in a trial or an active Enterprise customer in order to purchase LastPass Enterprise licenses. You can make your purchase using the purchase link found on the Admin dashboard Dashboard home page. Any additional purchases made throughout the year will be pro-rated for just a single annual renewal.


Start a Trial


[accordion openfirst=false scroll=true clicktoclose=true]

The LastPass Enterprise Admin Manual is a comprehensive guide to testing, deploying, and administering LastPass Enterprise.

[tab title="What is LastPass Enterprise?" id="t1"]

For businesses of all sizes, LastPass provides secure password storage and centralized admin oversight to reduce the risk of data breaches while removing employee password obstacles. With customizable policies, secure password sharing, and comprehensive user management, LastPass offers the control IT needs and the convenience users expect.

When 81% of data breaches are caused by poor credential management, addressing password security in your organization needs to be a top priority. From the CEO to your summer intern, every employee's passwords are a low-barrier, high-value target for attackers looking to find the easiest way in. With direct visibility into password strength for all employees, LastPass Enterprise gives businesses the control they need to change behavior across the business, with convenient automation for IT teams and an experience employees will love.

Recommended by industry experts and tech enthusiasts for its security model, LastPass is used and trusted by over 33,000 businesses around the world.

[tab title="Deployment" id="t2"]

LastPass Enterprise is deployed in days. It automatically 'learns' and 'remembers' usernames and passwords for virtually all online websites, cloud apps, and even Windows applications. LastPass provides universal access to resources, seamlessly synchronizing passwords across all platforms and browsers. Deployed on the desktop and in the cloud, your employees will love using the powerful, intuitive features and readily adopt LastPass for its productivity benefits. Your employees can familiarize themselves with LastPass' features by using our LastPass User Manual.

LastPass supports command line install and updates. For the automated provisioning and termination of LastPass user accounts, clients can choose between: Active Directly Sync client, Windows Login Integration, or an open API. Clients looking for less automation can simply add users manually in the Admin Dashboard and LastPass will take it from there with our automated welcome emails. If you need something custom to make deployment easier, let us know, we're here to help.

[tab title="Admin Dashboard" id="t3"]

The LastPass admin dashboard allows your Systems Administrators to install and upgrade your LastPass installation, manage policies, user configurations, applications, authentication methods and user groups. It provides centralized reporting for auditing and compliance, plus automated user alerts for optimizing use of the tool. The admin dashboard is your "command central" for putting your password security plan into action.


[accordion-item title="Convenience for employees" id="h1"]

LastPass Enterprise balances the competing priorities of IT teams – and the employees they support. From safely storing passwords to managing employee permissions, LastPass Enterprise helps businesses of all sizes remove password obstacles and fix dangerous password behaviors.

  • Store everything in one place. Give employees what they want: One easy place to save all their credentials and one-click login to their web services.

  • Remember one password. Employees create and remember their master password, while LastPass remembers all the rest.

  • Let LastPass save and fill for you. LastPass stores, fills, and creates passwords automatically, saving employees time and hassle.

  • Organize work and personal. Log in with any password throughout the day, and sort passwords to the right place automatically.

  • Generate strong passwords. Let LastPass create long passwords for employees, so every web service is protected by a unique, strong password.

  • Share passwords conveniently. Eliminate shared spreadsheets with easy – and secure – password sharing that keeps everyone up to date.

  • Give universal access. LastPass works everywhere employees do, with real-time sync for all desktops, laptops, mobile, and web.


[accordion-item title="Control for businesses" id="h3"]

LastPass helps IT departments take back control of password security in their organization. Directory integration, user management, policies, reporting, and more - all are managed from a single admin dashboard that offers actionable insights and comprehensive controls.

  • Centralize admin control. Centralize deployment and management of LastPass from a secure admin portal.

  • Integrate with user directories. Automate user onboarding and removal by syncing with Microsoft Active Directory or a custom API.

  • Configure custom policies. Customize over 100 policies to ensure employee access is appropriate and secure.

  • Automate reporting. Build compliance and maintain accountability with detailed reporting logs that tie actions to individuals.

  • Assign group-level permissions. Manage password security and shared passwords with groups created in your directory or LastPass.

  • Protect cloud apps. Deploy cloud apps company-wide while employees have access to all apps and web services from one vault.

  • Add multi-factor authentication. Protect every password in the business with additional authentication steps. LastPass Enterprise includes LastPass Authenticator and supports many other major MFA solutions.

  • Reset user accounts. Enable the super admin policy to ensure employee data isn't lost if they leave or forget their master password.


[accordion-item title="Guidance for success" id="h4"]

LastPass gives you the tools and guidance that you need to ensure a seamless launch, grateful employees, and a happy boss. Our turnkey program includes a step-by-step Training Kit for the initial product intro, individual and aggregate Security Challenge scores to measure the impact of the program, and a status summary report (coupled with email templates) to identify (and easily act on) education opportunities among your users.

Our customer success managers are also available to bring best practices to your LastPass deployment for even higher adoption and faster results. Contact our team today to learn more.


[accordion-item title="Security is what we do" id="h13"]

At every step, we've designed LastPass to protect what you store, so you can trust it with your business' sensitive data. Our security model includes:

For more information, we've made the following resources available:



Administrator Toolkit

[accordion openfirst=false scroll=true clicktoclose=true]

Success with LastPass starts with the right resources. We've built materials to help you roll out LastPass to other employees. We want you to be confident and prepared as a LastPass Administrator!

These resources will help you:

[accordion-item title="Evaluating Enterprise" color="Accent-Color" id="h2"]

The LastPass Resource Center

The LastPass Resource Center provides many materials to help you in evaluating and building a business case for LastPass, including

LastPass Security Overview
High-level overview of LastPass' core security principles.

LastPass Technical Security White Paper
In-depth technical details of LastPass' architecture.

Overview of Features & Benefits
How LastPass Enterprise helps both IT and employees.

State of Cyber Security
An infographic highlighting the cyber security challenges and risks businesses are facing.

The Buyer's Guide to Business Password Managers
A comprehensive guide to walk you through evaluating and comparing password solutions for your business.

LastPass Case Study: MailChimp 
Learn how LastPass Enterprise solved the password security problem for this popular email marketing solution provider.

[accordion-item title="Implementation Resources" color="Accent-Color" id="h3"]

Enterprise Admin Manual
How-to articles explaining deployment, onboarding, Shared Folders, and more.

Implementation Guide
High level how-to guide on the deployment of LastPass Enterprise.

LastPass Deployment Plan & Policies
Detailed spreadsheet to assist the project team through the deployment.

Policies Best Practices Webinar

Policies Best Practices Guide

Admin Overview Screencast

Video tutorial detailing how to use the Enterprise Admin Console.

Internal Communication Plan
A recommended plan for end user communications, training and education.

Weekly Webinar Recording
A more in-depth dive into LastPass Enterprise.

Adding LastPass to your corporate policies:

Before deploying LastPass, you may want to update your internal IT policies and/or employee guidebook to specifically reference LastPass. Doing so will help set expectations for why employees should use LastPass, and best practices for using it. Here is a sample of what to include when updating your policies:

We use LastPass for storing and sharing passwords. LastPass is an online password manager. As a digital vault, it keeps all your website logins organized and safe. LastPass can also create new passwords, fill out online forms, facilitate password sharing, alert you about weak passwords, and more.

LastPass will be the official password manager for all "COMPANY" employees. The software will be installed on your browsers as a browser extension. As you go to work-related sites, save the credentials to your LastPass vault. LastPass will then autofill those passwords the next time you go to log in.

We recommend following these best practices when using LastPass:

- Use the password generator to make sure every password is unique and strong
- Create a long, strong master password. To make it long but memorable, consider making a "passphrase", like: tealbrickpumpedlunchskiing
- Never share your master password with anyone, including LastPass
- Never use your master password as the password for another account
- Consider turning on multifactor authentication for added security

Your LastPass Enterprise account (which uses your work email address) is to be used for work passwords only, since your account can be terminated at any time. If you would like to store personal passwords in a password manager, you can create a free personal LastPass account at

[You may then want to link to LastPass help resources or FAQs for reference].

[accordion-item title="Educational Resources" color="Accent-Color" id="h4"]

End User Getting Started Guide
In-depth presentation for educating employees on features and benefits of LastPass. See Internal Communication Plan for other roll-out tools and ideas.

End User Quick Reference Guide
High level desk reference of end user features and benefits of LastPass Enterprise. See Internal Communication Plan for more information.

End User Training Video

An overview of the benefits of LastPass and a detailed walk-through of key features.

Video tutorials showing how to use LastPass features.

End User Manual
How-to articles for all basic and Premium LastPass features, included in Enterprise.


Importing Existing Data into LastPass

[accordion openfirst=false scroll=true clicktoclose=true]

Once you have installed LastPass, you may need to impocort your existing password entries and secure data from another LastPass account or from another password manager or file format. To do so, follow the instructions below.

[accordion-item title="Importing using pre-established formats" id="1"]


To begin, click on the LastPass Icon > More Options > Advanced > Import.


You will then be presented with a submenu for the Google Chrome Password Manager and ‘Other’. Selecting Other will open a new page with a drop-down list of options for all support import options:


We continue to add formats and password managers to the list of supported import option, so check the version of LastPass you are running if you do not see the format you need.

Since importing from each password manager is different, we have provided instructions for each under the name. Simply follow the instructions that we provide for the specific password manager that you use.

After importing, you can then begin to organize your sites into Folders as well as delete unnecessary or duplicate sites.

[accordion-item title="Importing from a Generic CSV File" id="2"]


If LastPass does not support importing from your current password manager, you may be able to import using a Generic CSV (comma separated value) file. Try seeing if your current password manager has an option to export to a CSV file.

To import data from a CSV file, we suggest you use our Import Template found here: Sample Import Spreadsheet.

If you use your own spreadsheet instead, it is important that the title of the columns match those in the template! The column titles can include any of the following: url, username, password, extra, name, grouping, type, hostname.

Fill the columns with the values you'd like for each entry (leave blank if the value is not relevant). Please note that 'extra' means either (1) the notes section of a site entry or (2) the body of a secure note, and 'grouping' is the group (or folder) where you would like the item to be stored in your vault.

[tab title="Importing Sites"]

To import Site data you must define at least the following values: “url” (typically this will be the login url), “username”, “password” and “name”. “Extra” and “Group” are other fields that you might consider.

[tab title="Importing Secure Notes"]

To import data as a generic Secure Note, enter the values as follows: “url” = http://sn, “extra” = the contents of the note. Give the note a “name”, and then consider adding “group”. It is important to leave the username and password columns blank. Please refer to the example import formats found here: Sample Secure Note Import.

[tab title="Importing Server Login Credentials"]

To import data as a Server Secure Note, enter the values as follows: “url” = http://sn, “type” = server. You must also populate “hostname”, “username”, “password” and “name”. In this case, you must enter the username and password in the actual username and password columns of the template, rather than the 'extra' section. Consider adding “group”.

Please click here to download our Sample Import Spreadsheet, which includes examples of all 3 of the aforementioned data types.

[accordion-item title="Passive Imports" id="3"]


Certain password managers simply do not support export functions. In these cases you can still use LastPass to pick up this data through a 'passive' import. This entails running both password managers simultaneously, having your former password manager enter your login credentials into a site, and then using LastPass to pick up the filled website entry.

[accordion-item title="Importing into Shared Folder" id="4"]


Please note that importing into shared folders is currently not supported. If the name of a shared folder is listed in your CSV file, you will encounter an error upon attempting to import into your LastPass Vault. Once you import your credentials, rather than moving them from the general folder to the shared folder in batches of 10 (the limit for drag and drop), simply right click and ‘rename’ the regular folder with the name of the Shared Folder where you would like them to go. Please note you will have to pre-create the Shared Folder before using this method to move sites.

[accordion-item title="Import Passwords Without Admin Privileges" id="5"]


LastPass Installers (Universal and Full*) on Windows now include a separate password importer that could be run independently without admin privileges to import passwords stored insecurely in local browser password managers. This option is helpful especially for enterprise end users who wish to migrate their passwords from the browser password managers into LastPass but do not have admin privileges on their companies’ computers to run LastPass installer, which is also capable of importing passwords.

To start, download LastPass Universal Installer from LastPass download site or LastPass Full Installer from the Admin dashboard > Setup. Once it is downloaded, find the option called Import Passwords on your Windows Start Program menu.
Import Passwords shortcut

Click on Import Passwords shortcut, enter your LastPass login information, and submit it on the login screen.
Password Importer login screen

LastPass password importer will search for and present you with a list of passwords stored insecurely on your browsers. Click Import to proceed.

Once the passwords are imported successfully into your LastPass vault, it will show the successful message below.
Password Importer successful message

Note: The difference between LastPass Universal Installer and Full Installer is that the latter includes LastPass for Applications.

[accordion-item title="Autofilling after Importing" id="h7"]


Once imported, you might notice that some websites do not autofill right away. This is because LastPass needs to "see" the website in order to capture the exact username and password fields, as they differ from website to website. When you visit the website for the first time after importing, use the field icons to force fill the credentials and login. It will autofill every time after that.


Internal Communication Plan

[accordion openfirst=false scroll=true clicktoclose=true]

LastPass Enterprise saves your employees time and increases productivity, all while improving security. Though every deployment is different, we recommend the following plan to drive adoption.

[accordion-item title="Pre-Launch Week" id="h0"]

Create "touchpoints" to build awareness of LastPass.

1. Inform

Hang posters and/or distribute flyers around the office. Post on intranet, digital signage, or employee blog. Build awareness of how LastPass will be easy, convenient, and save employees time.
Materials: Posters, Flyers, Blog Post, Intranet/Digital Signage

2. Notify

Send a minimum of one email (or as many as one a day) to let users know you’ll be providing a password manager that will save them time.
Materials: Email Template, Logos

3. Challenge

Pick a competition, activity, and/or reward that you will use to drive adoption. See our list of fun ideas for driving adoption below or create your own campaign.

[button color="accent-color" hover_text_color_override="#fff" size="large" url="" text="Download Assets" color_override="" image="fa-check-square"]

[accordion-item title="Launch Week" id="h1"]

Invite users and train them on how to use LastPass.

1. Activate

Send invitations to employees via the LastPass admin dashboard.

2. Compete

Launch the competition or activity, and announce the prize.

3. Train

Host live training sessions to show employees why LastPass will save them time and how to get started.
Materials: PowerPoint slides, Recorded webinar

4. Support

Post internal wiki page using our Sample FAQs. Point employees to your support resources, including the Getting Started Guide and tutorial videos.
Materials: Sample FAQs, Getting Started Guide, Desktop Reference Guide, Helpdesk.

[button color="accent-color" hover_text_color_override="#fff" size="large" url="" text="Download Assets" color_override="" image="fa-check-square"]

[accordion-item title="Post-Launch Week" id="h2"]

Evaluate the success of the launch and identify next steps.

1. Reward

Select the activity winners and celebrate their accomplishment.

2. Evaluate

Review the Notifications panel in the LastPass admin dashboard to review adoption rate.

3. Re-Invite

Re-invite inactive users and address any adoption questions.

4. Follow-Up

Communicate with LastPass about your adoption campaign and how the team can support your organization going forward.


[accordion-item title="Fun Ideas for Driving Adoption" id="h3"]

1. Reward Early Adopters

Incentivize the first X% of your employees to activate their account. For example, give a T-shirt to the first 5% of employees who activate their account, store a password, and create a secure note.

2. Friendly Competition

Create healthy competition by rewarding the first team to get to 100% adoption. Designate teams in the LastPass Admin Dashboard before inviting users.

3. Hardwire It!

Consider pre-loading user vaults with passwords they need to do their work. When they see that it’s set up for them and LastPass starts filling their passwords automatically, they’ll instantly see the value of the service.

4. Scavenger Hunt

Pre-load user vaults with sites and notes that have trivia answers hidden in them. Hand out the trivia questions and let users know the answers are in LastPass. The first X number of users to find the answers get a reward.



[button color="accent-color" hover_text_color_override="#fff" size="large" url="" text="Download Communication Plan PDF" color_override="" image="fa-check-square"]

NCSAM Toolkit

[accordion openfirst=false scroll=true clicktoclose=true]

October's National Cyber Security Awareness Month is the perfect time to prioritize your business's cyber security goals, and LastPass is just the solution to help you achieve them.

Whether your organization is already using LastPass Enterprise, or you're planning to implement it soon, or even if you're a personal LastPass user looking to spread the word, we have the tools you need to make your LastPass initiatives a success during NCSAM.

With our NCSAM toolkit, you'll have materials to help you increase engagement with and adoption of LastPass, and make a big impact on your community's cyber security. By the end of October, we want you to have taken real, meaningful steps towards a safer, more productive workplace.

[accordion-item title="What Is NCSAM?" color="Accent-Color" id="h2"]

October 2017 marks the 14th National Cyber Security Awareness Month (NCSAM), an annual effort led by, the National Cyber Security Alliance (NCSA), and the U.S. Department of Homeland Security.

The primary goal of NCSAM is to ensure everyone has the resources needed to stay safer, be more secure and better protect their personal information online. As we look back at the year behind us, it has unfortunately been full of breaches and attacks that put the online security of both individuals and businesses at risk. And the reality? Cybersecurity is a shared responsibility, and all individuals and organizations have roles to play in promoting a safer, more secure and more trusted Internet. Over the years, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation. NCSAM 2017 will highlight the overall message of STOP. THINK. CONNECT. and the capstone concepts of the campaign: “Keep a Clean Machine,” “Protect Your Personal Information,” “Connect with Care,” “Be Web Wise,” “Be a Good Online Citizen” and "Own Your Online Presence."

As an official NCSAM Champion, LastPass will be offering our free NCSAM toolkit below to our community and sharing many helpful resources and tips throughout the month of October. Watch for our emails to Enterprise Admins, with actionable steps to help your business get the most out of LastPass, as well as posts to our blog with tips and insights on NCSAM topics. We also invite you to join in on the conversation as we share content in our social communities like Twitter and Facebook.

Why join us in celebrating NCSAM? Here are just a few reasons:

- Raise awareness of your company's cyber security policies and goals among employees.
- Increase engagement and adoption of LastPass among your users.
- Create a strong password policy within your organization, and make it a reality with LastPass.
- Make cyber security topics more approachable for your users.

Let's work together to make NCSAM a success!

[accordion-item title="Where to Start" color="Accent-Color" id="h3"]

October may be a month full of chills and thrills, but scary cybersecurity practices could ruin the fun. To keep the password snatchers at bay, here's how we recommend you start preparing for NCSAM and plan to make your initiatives a success with LastPass:

>  Register for our webinar with Ovum to hear the latest research on password management.

Close the Password Security Gap
Speakers: Andrew Kellett - Analyst, Ovum & Rachael Stockton - Director Product Marketing, LastPass
In this webinar, Andrew will share insights from Ovum's latest report that reveals a lack of control over cloud apps and passwords, as well as a lack of automated technology implemented to solve this problem. In addition, Rachael will speak to the disconnect between IT and employees on password security, and offer steps to solve this problem.

> Get familiar with LastPass & PasswordPing

At LastPass, security is in our DNA and in our code; it's always been our top priority. Earlier this year we began working with PasswordPing to ensure all email addresses stored in LastPass are checked against the database of emails leaked in known breaches. By making LastPass customers aware that their credentials are no longer secure, we can prevent a wide range of related maladies: from malware to identity theft. Check our blog to learn more about PasswordPing and other steps you can take to protect your online security.

> Review the refreshed toolkit and suggested participation ideas below.

We've compiled all of these resources to give you options for raising awareness of LastPass and cyber security topics in your organization. Pick the materials that work best for your business - whether that's printed handouts and posters to put up around the office, presentations for lunch & learns throughout the month, posts on social media, articles on the company intranet. Get creative - and let us know how we can help.

> Need password management at work? Start your free trial.

If your team is struggling to manage, share, and control passwords, LastPass Enterprise will help you improve security with proper oversight of company passwords while also giving your team members a productivity boost with instant access to all their work accounts and apps. Join over 33,000 businesses using LastPass Enterprise to manage access, increase efficiency, and mitigate the risk of breach. Start a trial now or learn more.

[accordion-item title="Sample NCSAM Initiatives" color="Accent-Color" id="h4"]

There's no one-size-fits-all approach when it comes to using LastPass to meet your cyber security objectives during the month of October. With the added buzz and resources available throughout the month, NCSAM is an ideal time to promote cyber security awareness, and LastPass is a product that will help you meet many of your security goals. To make NCSAM a success in your organization, we recommend reviewing the materials we've made available below, and choosing one or two key initiatives to help you drive engagement and awareness.

Here are just a few of our suggestions of activities and ways to use the NCSAM materials, but get creative! You can also contact our team for questions or assistance. We're here to help you improve your security, and get the most out of LastPass.

If you're a LastPass Enterprise Admin:

- Invite more employees to your Enterprise account. LastPass isn't just for IT teams! Every employee in your organization can benefit from the convenience and security of LastPass. Login to the Admin Console to add more employees to LastPass Enterprise.
- Post short messages or online safety tips on internal message boards throughout the month.
- Hang posters and leave out flyers in common areas to help create awareness throughout the month.
- Put passwords to the test with the LastPass Security Challenge. Consider creating a competition among team members to see who can gets the highest scores, and who makes the most improvements in their scores.
- Host a Lunch & Learn. Using one of our presentations or resources provided on, schedule a time to chat with employees about good cybersecurity and password practices.
- Follow our helpful tips and cyber security insights by subscribing to the LastPass blog.
- Review our Internal Communication Plan for more resources and initiatives to deploy LastPass in your organization. Use our NCSAM materials below to supplement your efforts and ensure success!

If you're in a LastPass Enterprise trial:

- Join our live weekly demo to learn more about deploying and implementing LastPass for your company. Register now!
- Host a Lunch & Learn. Make your trial period a success with a proactive approach to onboarding users and getting them started with LastPass. Use our NCSAM presentation to introduce them to important cyber security topics, or use our LastPass presentation to provide an overview of what it is and how to get started.
- Review our Internal Communication Plan for more resources and initiatives to deploy LastPass in your organization. Use our NCSAM materials below to supplement your efforts and ensure success!

If you're representing a university campus

- Sponsor LastPass on your campus. With turnkey, affordable Internet2 NET+ LastPass packages, all students, faculty, and staff can benefit from a campus-wide deployment of LastPass. Learn more here and get in touch with our team to learn how hundreds of educational institutions are using LastPass.
- Pair the NCSAM Toolkit below with our Education Toolkit for more resources in improving awareness of LastPass in your campus community.

[accordion-item title="Your LastPass Toolkit for NCSAM" color="Accent-Color" id="h5"]

We've compiled the below resources to help you achieve your organization's cyber security objectives and maximize your deployment of LastPass. These materials are intended for use in educating about LastPass, and participating in National Cyber Security Awareness Month.

We want to know: How will you be participating? Email us or tweet us to share your plans. We look forward to making an impact together this October!


Close the Password Security Gap
Tuesday, October 17th - 1pm ET / Speakers: Andrew Kellett - Analyst, Ovum & Rachael Stockton - Director Product Marketing, LastPass
In this webinar, Andrew will share insights from Ovum's latest report that reveals a lack of control over cloud apps and passwords, as well as a lack of automated technology implemented to solve this problem. In addition, Rachael will speak to the disconnect between IT and employees on password security, and offer steps to solve this problem.


- LastPass logos (PNG)

- LastPass logos (SVG)

NCSAM logos


-  HTML Email Template: A coded template of the LastPass standard email.


- Infographic:Online Security Through the Ages (PDF)

- Infographic: Is Your Company Just One Weak Password Away from a Security Breach? (PDF)

- Introduction to LastPass Flyer (PDF)

- Getting Started with LastPass on iOS (URL)

- Overview of LastPass Authenticator (PDF)

State of Security (PDF)

Password Security Tips (PDF)

- STOP.THINK.CONNECT Basic Tips & Advice


- Why NIST Recommendations Simplify The Online Experience (URL)

- How IT Can Help Employees Improve Security (URL)

- 7 Bad Password Habits to Break Now (PDF)

Two-Factor Authentication: What It Is and Why It Matters (PDF)

- Password Smarts: How to Improve Your First Line of Defense (PDF)

- How a Password Manager Saves You Time (PDF)

- Does Your Company Have a Kill Switch? (PDF)

- 8 Frustrations You Can Eliminate with a Password Manager (PDF)


- Bad Passwords Happen to Good People (PDF)

- Your Brain on Passwords (PDF)

- Half-page poster (PDF)

- Full-page poster (PDF)

- Large 11" x 17" poster (PDF)


LastPass NCSAM Presentation: Organize a brown bag lunch hour to introduce employees to NCSAM and explain the benefits of secure password management.


- LastPass Enterprise video tutorials: See LastPass Enterprise in-action and learn how to get started.

- LastPass 101 Videos: Get your employees started with LastPass with these 101 videos.

- Bank InfoSecurity's Lastest Password Protection Tips: Featuring advice from LastPass Specialist, Cid Ferrara.

- Passwords Made Safer with Fox News: Best practices and tips on password management and multi-factor authentication.


Workplace Security Risk Calculator: Educate your employees on how their practices may be putting the business at risk.


- Head to for more ways to get involved.

[accordion-item title="For Personal LastPass Users" color="Accent-Color" id="h6"]

While our toolkit was built to help our Enterprise customers maximize their investment in LastPass, personal LastPass users can certainly get involved and help us spread cyber security awareness throughout the month of October, and beyond.

Here are just a few ways to participate and make a difference:

- Send an email to friends and family informing them that October is National Cyber Security Awareness Month and encourage them to try LastPass. Use our referral option to earn Premium credit - and give your recipients Premium credit, too!

- Print a STOP. THINK. CONNECT. tip sheet or one of our other resources above and display it in areas where family members spend time online.

- Hold a family conference to discuss how each member of the family can help to protect their online devices from cyber attacks. Read through and discuss suggestions from STOP. THINK. CONNECT. Ensure every family member is using LastPass to create, manage, and share strong passwords.

- Sign up as an NCSAM Champion and use the Champion toolkit to promote NCSAM in your community.



Why Use LastPass Enterprise?

[accordion openfirst=false scroll=true clicktoclose=true]

Designed and built from the ground up by an experienced team of highly-talented developers, LastPass Enterprise finally delivers on the long-desired -- but rarely delivered -- promise of Enterprise SSO. LastPass Enterprise brings a new technical approach to Single Sign-On, designed and delivered the way YOU have always envisioned it.

[accordion-item title="For End Users" id="h1"]

[accordion-item title="For Help Desk" id="h2"]

[accordion-item title="For System Administrators" id="h3"]


[accordion-item title="For CISO, CIO, CTO, and IT Managers" id="h4"]

[accordion-item title="For SVP Sales and SVP Operations" id="h5"]

[accordion-item title="For CEO" id="h6"]


Education Toolkit

[accordion openfirst=false scroll=true clicktoclose=true]

Thanks for choosing LastPass to help your students save time and better secure their digital life. Our toolkit has everything you need to spread the word around campus, educate your community, and help them benefit from secure password management with LastPass.


LastPass Logo (SVG)
All LastPass logo usage variations.

LastPass Logo (PNG)
PNGs of all LastPass logo variations.


Posters and Fliers

Half Page Ad
A short, simple ad that can be handed out to students.

Full Page Ad
A longer, more robust ad that can be handed out to students.

11x17 Inch Poster
A large-scale poster that can be hung around campus.

Instructional Flyer
An introduction flyer detailing how to get LastPass up and running.


Email Resources

HTML Email Template
A coded template of the LastPass standard email.


Social Graphics

Facebook Post Graphics
Graphics for your Facebook posts about LastPass!

Twitter Post Graphics
Graphics for your tweets about LastPass!

Traditional Ads
Ads sized for a variety of displays.


Link Personal Account

[accordion openfirst=false scroll=true clicktoclose=true]

The Link Personal Account option now allows LastPass Enterprise users to link their Personal LastPass Accounts with their Enterprise Accounts.  This enables users to access their personal LastPass entries while using their Enterprise Account, all while keeping the two accounts separate.

[accordion-item title="Setting Up Your Linked Account" id="h1"]

To set up a Linked Personal Account, log in to the LastPass browser extension with your Enterprise credentials.  Go to the LastPass Plug-In Icon -> My LastPass Vault, and click on the "Link Personal Account" link on the left-hand actions menu. Follow the prompts.


[accordion-item title="Unlinking the Accounts" id="h2"]

If at anytime you wish to unlink a personal account from an Enterprise account, you can do it two ways:

1. From within the Enterprise Account:  Vault > Left menu > Remove More Options > Advanced > Remove Linked Personal Account.


2. From the personal account: Vault > Account Settings > Show Advanced Settings > Unlink Account From Enterprise


3. If an Admin uses the policy Super Admin Master Password reset on the account, the Personal account will automatically unlink.


[accordion-item title="Policies involving Linked Personal Accounts" id="h3"]

Prohibit Linking Personal Account: Disallow linking of personal account into your enterprise account.

Prohibit Updating Personal Account: Disallow adding/updating/deleting of personal account data when it is linked through your enterprise account.

Setting Default Account for New Sites: If this policy is in place, and a user has a linked personal account, sites will be saved to the personal account by default, unless the new site's URL matches a domain specified in the 'value' field below. Multiple domains can be separated by commas, e.g.,,, etc.

Recommend or Require Linked Personal Account: When enabled, this policy will force each user to create a personal account that will be linked automatically to his/her Enterprise account. Existing personal account holders will be required to link their personal account. New users will enter their personal email address which will serve as the username for the account, while the master password will be the same for both accounts.

Enter a 1 to make this policy mandatory. It will continue to pop on every login until setup. Enter a 2 to allow the user to opt-out if desired.

Save Personal Sites to Personal Vault: When this policy is enabled, LastPass detects the username for every new site. If the username matches the master username for the Personal Linked Account (such as, the site will be saved directly to the personal vault by default. If any other username is used for the site (such as or any non-email username), the site will be saved directly to the work vault by default. The user can override the LastPass personal account selection if needed.

Note: A personal LastPass vault must be linked to the user’s work vault in order to auto-sort. Otherwise, all logins will save to the work vault by default. We recommend enabling the “Recommend or Require Linked Personal Account” policy in order to help automate this function for users.


How is LastPass safe?

[accordion openfirst=true scroll=true clicktoclose=false]

Your security and privacy are our top priority - that's why we've taken every step possible to ensure that your data is safely stored and synced in your LastPass account.

Locally encrypted sensitive data

All encryption/decryption occurs locally on the user's device, not on our servers. This means that your sensitive data does not travel over the Internet and never touches our servers, only the encrypted data does.

Government-level encryption

We use the same encryption algorithm that the U.S. Government uses for top-secret data. Your encrypted data is meaningless to us and to everyone else without the decryption key (your emails and Master Password combinations).

Only your users know the key to decrypt their data

Your encryption keys are created from your users' email addresses and Master Passwords. The Master Passwords are never sent to LastPass - only a one-way hash of your password when authenticating - which means that the components that make up your keys remain local to your users. LastPass also offers configurable corporate policies that let you add more layers of protection.

Control your policies

We know that one size does not fit all when balancing corporate security and ease of use. That's why we allow you to define your preferences by providing a full range of configurable corporate policies. We strongly encourage you to review the policy options prior to rolling out LastPass across your organization.

Generate unique, strong passwords

No more using the same password for all sites. No more writing down passwords on little pieces of paper. No more emailing yourself when you forget your password. With the LastPass password generator users can create strong passwords for each site and automatically save them to their individual vault. With LastPass, your data will be safer online than ever before without the hassle of remembering unique passwords.

No more using your browser's insecure password manager

Any malicious application can easily retrieve saved passwords from your users' browsers. With LastPass, you're protecting  your users from these attacks!

Learn more about protecting yourself from phishing scams

Implementation Guide


Implementation Guide


***Every implementation of LastPass is different based on your unique environment and program goals. This article serves as a high level guide for some of the features and options you might consider when implementing LastPass Enterprise. ***



Phase I: Proof of Concept


  1. Follow the prompts and submit LastPass Trial Request Form to initiate a free, 14-day trial including up to 10 staff members.

  2. Weigh provisioning options and software installation options, and determine best path for your enterprise.

  3. Review the policy options and determine relevance for your enterprise.

  4. Create at least 5 beta test accounts from the 'create new users' tab of the Admin Console.

  5. Populate the beta accounts with top sites and applications utilized by your employees. Test all logins to make sure that they are functioning seamlessly.

  6. Determine who will need Admin rights within your enterprise and assign them from the Users tab of the Admin Console. Conduct Admin training as necessary.

  7. Determine if cloud-based Single Sign-on (using SAML) is needed/wanted. Advise your LastPass representative if support is needed for any new applications not already available. Integrate and test the desired applications.

  8. For larger implementations, consider training one or more internal helpdesk contact(s) for end user support.

  9. For larger implementations, determine how much education/tutorials you intend to push out to your staff. Most enterprises send only the welcome email.

  10. For larger implementations, consider customizing the welcome email to include internal helpdesk contact.

  11. Review the automated user notification options found here. These notifications are very important for driving adoption and for optimizing employee use of the service to improve the safety or your corporate data.



Phase II: Enterprise-wide Roll Out


  1. For larger implementations, download the software to all work stations.

  2. Purchase your LastPass licenses.

  3. Provision all users, or provision in batches, per your preference.  If using the Sync Client with ‘pending users’ configuration, then go to the ‘pending users’ page to ‘accept’ all users for whom you would like accounts to be provisioned.

  4. Determine if any new users should be granted LastPass Admin rights. If so, assign them from the Users tab of the Admin Console. Conduct Admin training as necessary.

  5. Create User Groups to help facilitate the assignment of policies and/or Shared Folders.

  6. If using cloud-based Single Sign-on (using SAML), activate the desired groups/apps.

  7. If sharing credentials is desired then have each divisional manager consider their shared folder structure – (1) one universal folder or multiple, (2) who will have admin versus standard access and hidden/visible, (3) what sites/secure notes will be shared. Create shared folders and populate with desired sites. (Folders can be created at any point in time).

  8. Owners assign Shared Folders to the appropriate users/groups.

  9. Report any bugs or enhancement requests to LastPass using the ticket system.

  10. See the LastPass Training Kit for End Users for suggested training program and resources.

Migrate Data Between Accounts

[accordion openfirst=false scroll=true clicktoclose=true]

Often new LastPass Enterprise users already have an existing account under their work email address which contains both personal and work-related data. In this case, it is easy to create a new Personal account and migrate the data between the two. Once the two accounts are linked, data can be migrated from the Enterprise account to the new Personal account through the drag and drop method between folders. The steps are as follows:

[accordion-item title="Setting Up to Migrate" id="0"]

  1. Create a new Personal account using your personal email address:

  2. Link your personal account to your work account (log into your Enterprise account -> vault -> Link Personal Account. Click here to learn more about linking accounts.)

  3. Look for the new personal folder in your Enterprise vault (the folder name will be your personal username)

  4. Drag and drop any relevant sites from the Enterprise folder to any Personal folders (or right-click > move to folder)

[accordion-item title="FAQs" id="1"]

Can I block the migration of data from Enterprise to Personal?
Yes, this can be prevented by enacting the policy to prohibit updating personal account, located under the 'Limit Features' heading.

Can my employees move data from Shared Folders to their Personal account? 
Data cannot be moved directly from a Shared Folder to the personal account, but it can be moved from the Shared folder to the Enterprise account, and then to the personal account. This too can be prevented via policies and user permissions.

Can I prohibit my employees from linking their personal accounts? 
Yes, by implementing the policy "Prohibit Linking Personal Account", you can prohibit users from linking their personal accounts with their Enterprise accounts.

Is there a way I can prevent users from exporting their Vaults? 
Several policies can be configured so that Employees are restricted from exporting, importing, or sharing credentials from their Enterprise Vaults. Our policies page details these specific restrictions.



System Requirements

[accordion openfirst=true scroll=true clicktoclose=false]

LastPass supports the below web browsers, operating systems and mobile devices.

[tab title="Operating Systems" id="t0"]


[tab title="Web Browsers" id="t1"]

[tab title="Mobile Devices" id="t2"]


[tab title="Previous Platforms" id="t3"]

We have previously built versions of LastPass for platforms that we no longer develop for. Users are welcome to install and use them, but we cannot offer technical support for these versions.

Users are strongly recommended to download and run the installer from our website on all browsers you regularly use.


2. Login to LastPass

Training Kit for End Users


The LastPass Training Kit for End Users


Implementing LastPass in your organization will be an exciting development for administrators and employees alike. While the driver behind a LastPass Enterprise purchase is often improved security, LastPass also brings huge convenience to end users. When properly implemented, LastPass will help alleviate administrative tasks for IT and Operations, and will help save considerable time and frustration for end users. However, like all new things, there can be a learning curve. The following recommendations are intended to help create comfort among your staff as well as drive down this learning curve. We hope that you will take full advantage of these materials and advice, and contact our staff if there is anything more that you feel would help.



End User Survey (1 week prior to roll out)


Prior to implementing LastPass, we recommend that you survey your employees to establish a baseline around current password practices. This will help you to better steer your educational efforts, and will provide you a quantifiable proof point against which you can measure the impact of the program. Click here for a sample survey.


Warm 'em up (2 days prior to roll out)


It is a good idea to send a 'heads up' email  2 days in advance of your implementation to put context around the goals of the LastPass program and to prepare your staff for what to expect. This email is also intended to let them know that LastPass is a corporate-sponsored program so that when they receive the welcome email they are less likely to see it as a potential phishing scam.  See suggested copy for the 'heads up' email here.


The Welcome Email


With most provisioning options, your end users will receive an automated welcome email from LastPass. This email can be customized to bring your own culture and message to your staff. See the boilerplate emails here.


LastPass Experts


We suggest you train a select group of employees to serve as "LastPass Experts". On the day of your launch, have your Experts wander the floor offering assistance and advice on how to use and optimize LastPass. For larger deployments, feel free to contact your sales representative for LastPass t-shirts for your experts.


Add LastPass screencasts to your Training Modules


Mandatory training is always best. Help your employees make the most of LastPass with a brief mandatory training. They can simply watch the screencast and then take a brief quiz to demonstrate completion.


Review your progress


At any point after the automated Welcome email is sent, you can check the progress of your users by visiting the Notifications Tab.  We suggest direct outreach to staff members that have not yet enabled their account. You can program these emails to be sent automatically on a regular basis until the user has taken action.


Training Email and Self-help Tool (48 hours after invite)


It is best to offer your staff some form of training whether it is direct 'desk by desk' training, small group training, or a larger Webinar. We suggest that these invitations be sent out to end users approximately 2 days after the initial invite. See suggested copy here. For larger implementations, LastPass is happy to provide training for your trainers. Please contact your rep to schedule your training session at least 5 days prior to the target roll out.


Review your progress (1 month after invite)


One month after the initiation of your LastPass program, we suggest that you visit the Notifications Page. Look for what you consider to be critical areas for outreach. Using the email templates, draft targeted messages to your end users that will be sent automatically based on the time frames that you designate.


Training Tools


We encourage you to distribute these tools to your End Users to help get them up to speed and to expose them to some of the broader benefits of LastPass.

LastPass Enterprise End User Training Deck
LastPass Enterprise User Desk Reference Guide


Online screencasts


Getting Started with LastPass:
More Introductory Screencasts:

Sample Survey

[accordion openfirst=false scroll=true clicktoclose=true]

When surveying your employees, we suggest that the survey be offered anonymously to promote honest answers.

Password Questionnaire


1. What system are you using to keep track of your passwords?

  • Spreadsheet or other written medium (contacts, sticky notes, Word doc)

  • Same or similar password everywhere

  • Rotate between 3 (or so) passwords

  • The password manager in my browser

  • 3rd party password manager

2. How many work-related passwords do you use on a weekly basis?

  • 0 – 10

  • 11 – 15

  • 15 – 20

  • More than 20

3. Do you frequently re-set passwords because you have forgotten them?

  • Yes, weekly

  • Yes, monthly

  • No

4. Do you check the ‘Remember Me’ button on login screens?

  • Yes, always

  • Yes, occasionally

  • No

5. Do you share passwords with colleagues such as group logins to virtual meeting software, social media sites, servers, etc.?

  • Yes

  • No

6. Have you ever contacted the helpdesk at work regarding a password-related issue?

  • Yes

  • No

7. What functional team do you work for in the company (ie: sales, customer service, finance, HR, IT, etc.)


Email Templates for End User Roll Out and Training

[accordion openfirst=false scroll=true clicktoclose=true]

Use our sample email templates for end user roll out and training.

[accordion-item title="The 'Heads Up' Email (2 days prior to invite)" id="h1"]


Hello Team:

We are pleased to announce that we have recently contracted with a great new service provider called LastPass. LastPass offers a service that will help you better manage your passwords. The goals of this program are to:

In the next couple of days, you will receive a welcome email from LastPass. Please follow the instructions to get started. While this is required, it is also something that we are certain will bring you great utility and convenience. We hope that you will embrace and enjoy this new tool.


Your friends in IT
[accordion-item title="The Automated Welcome Emails" id="h2"]


Click here for our automated email contents.

[accordion-item title="The Training Invite (2 days following invite)" id="h2"]


Hello Team:

Two days ago you should have received your invitation to create a LastPass account. Hopefully you have done so, and are enjoying the benefits of the service.

We will be conducting required training sessions at the following dates and times. Please respond to this email to reserve your spot:


Attached is a desk reference that might also be helpful as you start using LastPass.


Your friends in IT

LastPass Enterprise Desk Reference


Email Templates for End User Roll Out & Training

Admin Dashboard

[accordion openfirst=true scroll=true clicktoclose=false]

The LastPass Enterprise “Admin dashboard” offers every tool your administrators will need to implement and manage LastPass for your organization.

[tab title="Opening the Admin Dashboard"]

To open the Administration dashboard, click the LastPass icon on your browser bar and select 'Admin dashboard'. This option is visible to LastPass Administrators. The creator of a LastPass trial is made Admin by default. He or she can then assign admin rights to any other users from the Users tab of the Admin dashboard.


Clicking on the 'Dashboard' option will open the home page of the Admin dashboard. The home page of the dashboard gives you a summary of your account including: the number of users, licenses available, expiration, purchase options, security grade tiles, a snapshot of all enterprise logins over the last 7 days, and important alerts regarding features and newly added services.


[tab title="Video Tutorial"]

Please see the video below for an overview of the Enterprise features:






[tab title="Active Users"]

This tab displays all active users who either currently already have an active account or have been invited to activate their account with your Enterprise. Also from this tab, you will be able to select users individually or in bulk to carry out administrative actions. If selecting individually by clicking on the User's email, a Side menu will appear from the right-hand side of the screen. From this slide in Side menu, you will be able to carry out specific administrative actions.

[tab title="Invited Users"]

Within this tab you can see all users who have been sent an email invitation to join your Enterprise. By selecting the checkbox of these users,
you will be able to Uninvite (revoking their ability to activate their account even though the email) or Reinvite the users by sending a second follow-up email.

[tab title="Disabled Users"]

This refers to users that are a part of your company that ave been disabled by an admin or AD Sync. You can read more about disabled users here.

[tab title="Users awaiting approval"]

This tab represents users that have been imported from the AD sync client, but need to be manually approved to join the Enterprise before an email is sent to them for invitation.

[accordion openfirst=false scroll=true clicktoclose=true]
[accordion-item title= "Adding users from the Admin Dashboard" id="h0"]

On the top-right of the screen you will be able to select Add User. This button will pull out a Side menu which can be used to add users using Batch provisioning. Batch provisioning is one of two ways to create new users in your Enterprise system. To utilize batch provisioning you can provision users under your Enterprise account by entering their email in the box provided on the 'Getting Started' tab. An account will be pre-created for them with a temporary password. They will receive a welcome email with instructions on how to reset their password and get started. If the user's email address is already associated with a LastPass account, they will be sent an email with an activation URL.

This is also the Side menu in which you can select default or draft a custom email invitation for future Enterprise users.



Create New User

[accordion openfirst=false scroll=true clicktoclose=true]

You can provision new users by going to :

Admin Dashboard -> click Users to expand all options -> click the "Add User" button in the top right

There are 4 methods of user provisioning available in LastPass Enterprise as described below. You will want to weigh these options carefully before implementing LastPass across your organization.

[accordion-item title="Batch Provisioning of Users (Mac/Windows/Linux)" id="h1"]

You can provision users under your enterprise account by entering their email in the box provided as shown in the screenshot below.

By default, LastPass will send welcome email to the users (the Send Email checkboxes are checked. Click Create Users button to complete the action. Once submitted, the user will will receive an automated welcome email with instructions on how to reset their temporary password and get started. If the user's email address is already associated with a LastPass account, they will be sent an email with an activation URL to link their existing account to the Enterprise.

Alternatively, you can create custom email template for both new and existing LastPass Users.

[accordion-item title="Active Directory Sync Client" id="h2"]

active directory sync option

The LastPass Active Directory Sync Client is a Windows service that can be run locally or directly from the admin dashboard.


Any newly eligible profiles added to your AD will be either (1) automatically provisioned with LastPass or (2) added to our system as pending approval (depending on your preferred settings). Once provisioned, the user will will receive an automated welcome email with instructions on how to reset their temporary password and get started. If the user's email address is already associated with a LastPass account, they will be sent an email with an activation URL to link their existing account to the Enterprise.

With this Client you can opt to sync user group information as well, which can be used in turn to assign policies and Shared Folders. And the ability to create nested groups to manage permissions at the group level is also available. Click here to learn more about the Active Directory Sync Client. Click here to download the client (scroll to the bottom of the page).

[accordion-item title="LastPass Provisioning API" id="h3"]

LastPass exposes a public API that can be used by enterprise accounts to create users, deprovision users, and manage groups. The full API details and instructions can be found within the Enterprise dashboard > Users > Add User > Provisioning API option.

LastPass Provisioning API

[accordion-item title="Okta Integration" id="h4"]

Many companies are using Okta, the leader in Single Sign-On, alongside LastPass, the leader in business password management, to address the complete picture of employee identity and access management. We’ve partnered with Okta to offer a SCIM API that can be configured for automatic provisioning and deprovisioning of LastPass accounts for easy, secure administration.

Integrating LastPass with your Okta directory offers:

Click here to learn more.
[accordion-item title="Azure Integration" id="h5"]


Integrating LastPass with your Microsoft Azure Active Directory (AD) offers:

Click here to learn more.
[accordion-item title="Automatic Provisioning Using Windows Login Integration" id="h6"]

LastPass can invisibly integrate with the standard Windows Login process to automatically create new users and sign existing users in.

In order to setup, simply visit the Install Software tab in the Enterprise dashboard and follow the instructions there.

Install our full build with the following parameters:

lastpassfull.exe -dl=<your domain name> -cid=<company ID> -chsh=<your ID> -winlogin --userinstallie --userinstallff --userinstallchrome --installforallusers -j "C:\Program Files\LastPass"

The dl parameter should be an externally resolvable domain name (not your internal Windows Domain name) and will be combined with the Windows Username to form the LastPass login. For example, if you pass and your windows login is bob, the resulting LastPass username will be

[accordion-item title="Provisioning without an email address" id="h7"]

By default, when a user is provisioned, an email is sent to the user with their temporary password or an activation link (if their account exists already). However, If you must provision users who do not have an email yet (for example, you are provisioning users via Service Provisioning through SAML), follow the procedure below:

    1. Go to Create Users in the Admin dashboard

    2. Set "Send Email if Existing User?" and "Send Email if New User?" to "No"

    3. Create the user using Batch Provisioning

    4. Once the user is created, go to the Users page

    5. In the Actions column, choose "Set Initial Password". Make sure that the require Master Password reset on next login option is enabled. Store this password somewhere safe as it will be needed later for distribution

    6. If needed, setup the account: add the user to any User Groups, Shared Folders and Policies.

    7. When ready, give the user the initial password so they can use it to sign into their newly created account.


Okta Integration

[accordion openfirst=false scroll=true clicktoclose=true]

Many companies are using Okta, the leader in Single Sign-On, alongside LastPass, the leader in business password management, to address the complete picture of employee identity and access management. We’ve partnered with Okta to offer a SCIM API that can be configured for automatic provisioning and deprovisioning of LastPass accounts for easy, secure administration.

Integrating LastPass with your Okta directory offers:

Securing every app with LastPass and Okta

To ease onboarding and management of LastPass, we’ve partnered with Okta to allow automated user provisioning and deprovisioning through a SCIM API. Our Okta endpoint can be configured for instant creation of LastPass accounts and real-time revocation when employees leave the organization. IT admins benefit from easy, secure administration of LastPass through their Okta directory.

For companies that have implemented Okta as a Single Sign-On solution, there are still situations where apps either don't integrate with SSO or are brought into the workplace without IT's knowledge.
LastPass provides an out-of-the-box solution to centrally manage all passwords that are being used and shared, whether those services are sanctioned by IT or not.

Businesses invest in LastPass so they can:

[accordion-item title="Installing and configuring Okta integration" id="h1"]

Syncing the Okta user directory to LastPass requires:

The LastPass Okta SCIM endpoint does not require any software installation.

Please note, the integration with Okta’s user directory does not allow users to log in to LastPass with their Okta password. Completing the account set-up steps for LastPass requires that the user create and remember a separate LastPass master password, which is used to create the unique encryption key to their LastPass vault.

A copy of the admin configuration guide is available for download here: Okta-SCIM-Guide

[accordion-item title="FAQs" id="h2"]


Azure Integration

[accordion openfirst=false scroll=true clicktoclose=true]

Integrating LastPass with your Microsoft Azure Active Directory (AD) offers:

Securing every app with LastPass and Azure

Through a SCIM API, our Azure AD endpoint can be configured for automatic provisioning of existing or new user profiles to create LastPass accounts, automatic deprovisioning of disabled or deleted profiles to deactivate LastPass accounts, and automatic syncing of user groups for assigning users to policies and shared folders. IT admins benefit from easy, secure administration of LastPass through their Azure AD user directory.
For companies that have implemented Azure AD as a Single Sign-On solution, there are still situations where apps either don't integrate with SSO or are brought into the workplace without IT's knowledge.
LastPass provides an out-of-the-box solution to centrally manage all passwords that are being used and shared, whether those services are sanctioned by IT or not.

Businesses invest in LastPass so they can:

[accordion-item title="Installing and configuring Azure AD integration" id="h1"]

Syncing the Azure AD user directory to LastPass requires:

The LastPass Azure AD SCIM endpoint does not require any software installation.

Please note, the integration with Azure AD's user directory does not allow users to log in to LastPass with their AD password. Completing the account set-up steps for LastPass requires that the user create and remember a separate LastPass master password, which is used to create the unique encryption key to their LastPass vault.

A copy of the admin configuration guide is available for download here: Azure AD Guide

[accordion-item title="FAQs" id="h2"]


OneLogin Integration

[accordion openfirst=false scroll=true clicktoclose=true]

Our SCIM API for OneLogin can be configured for automatic provisioning and deprovisioning of LastPass accounts for easy, secure administration.

Integrating LastPass with your OneLogin directory offers:

Securing every app with LastPass and OneLogin

To ease onboarding and management of LastPass, we’ve partnered with OneLogin to allow automated user provisioning and deprovisioning through a SCIM API. Our OneLogin endpoint can be configured for instant creation of LastPass accounts and real-time revocation when employees leave the organization. IT admins benefit from easy, secure administration of LastPass through their OneLogin directory.

For companies that have implemented OneLogin as a Single Sign-On solution, there are still situations where apps either don't integrate with SSO or are brought into the workplace without IT's knowledge.

LastPass provides an out-of-the-box solution to centrally manage all passwords that are being used and shared, whether those services are sanctioned by IT or not.

Businesses invest in LastPass so they can:

[accordion-item title="Installing and configuring OneLogin integration" id="h1"]

Syncing the OneLogin user directory to LastPass requires:

The LastPass OneLogin SCIM endpoint does not require any software installation.

Please note, the integration with OneLogin’s user directory does not allow users to log in to LastPass with their OneLogin password. Completing the account set-up steps for LastPass requires that the user create and remember a separate LastPass master password, which is used to create the unique encryption key to their LastPass vault.

A copy of the admin configuration guide is available for download here: OneLogin SCIM Guide

[accordion-item title="FAQs" id="h2"]


Windows Login Integration

[accordion openfirst=false scroll=true clicktoclose=true]

LastPass can invisibly integrate with the standard Windows Login process to automatically create new users and sign existing users in. To do this, we install a DLL that hooks the Windows login flow using sanctioned/standard Windows protocols.  When we receive the password, we hash it and then use the hash to create the user's LastPass credentials.  We never store anything on disk and are careful to not leave anything in memory.

With Windows Login Integration, users within the LastPass Enterprise system will be provisioned using their Windows username followed by the address that your Enterprise use.  New users to LastPass will be created upon their first login to the Windows domain after the Login integration with LastPass is added. From that point on, users will login to the Windows domain as they normally would, and will automatically be logged into LastPass as well.

Instructions for set up can be found in the Admin Dashboard -> click Users to expand all options -> Create New User -> Automatic Provisioning Using Windows Login Integration.

[accordion-item title="What do you see as end users when you log into your Windows for the first time" id="h0"]

Once Windows Login Integration is set up, you will see a screen as shown below when you log into their Windows for the first time.

If you do not have an account with LastPass, click "Activate My LastPass Account" button. The popup is dismissed and LastPass for Applications icon turns red, indicating you are logged into your new LastPass account.

If you already have a LastPass account, click "I Already Have A LastPass Account" button. Another popup appears to allow you to map your Windows username with your LastPass email address if they do not match.

In case LastPass detects a mismatch between your AD password and your LastPass master password, it will show an error message.
You will need to change either your AD password or LastPass master password and retry.


[accordion-item title="Frequently Asked Questions" id="h1"]

Q: What happens if a user's windows user name and company domain address that is used to login outside of the work environment does not correlate to an existing e-mail address?

A:  If the windows address does not correlate to an existing email address, upon first logging into the account  the user will be prompted to set a security email address which will be used for all communications regarding LastPass.  This e-mail address can be changed within the Account Settings at a later date by the individual user.

Q: How do I make sure LastPass master password changes when AD/Windows password changes?

If you change your Windows password in Windows Settings on the computer where Windows Login Integration has already been set up, we would be able to capture the event and change the master password accordingly. To ensure the event is captured, you would need to have an active LastPass session AND change the Windows password on the local machine that has Windows Login Integration enabled. If the Windows password change takes place on another machine (i.e., the admin changes the password for the user), master password and Windows password will be out of synced. In this case, the user will need to manually change the master password in LastPass account settings to match his or her Windows password.

Tips for enterprise admins:
If you wish no user interaction involved in the password change process, enable Super Admin Master Password Reset Policy. It would allow you to reset users' master passwords as a super admin. When you change a user Windows password, you could also reset his or her master password in LastPass Admin Console to make sure they match. For more information about how to set up the policy, see this FAQ.

Q:  What happens if the user already has a LastPass Account under their work e-mail?
A:  If the username and password for the LastPass account are the same as the windows login and password, LastPass will attempt to login using these credentials.

Q:  What happens if the password the user has to login to Windows is NOT the same as the password for the pre-existing LastPass account?
A:  The user will see a bubble from LastPass icon in the tray that says "Login failed, does your Windows password match your LastPass password?"

Q:  What should the user do if his or her existing password does not match the Windows password?
A:  The user will need to login to LastPass using their existing LastPass password, go to Account Settings, and change the master password to match the Windows login password.

Q:  Could a user continue to use two different passwords for Windows login and LastPass login?
A:  Yes, a user could continue using two different passwords, one to login to Windows, and another to login to LastPass.  The AutoLogin to LastPass when logging into Windows would continually fail, though, and this would largely defeat the purpose of Windows login integration.

Q:  If you delete Windows domain login can manually login to your LastPass account?
A: Yes, you can also manually login to your LastPass account using your LastPass username and password.

Q: Can you login anywhere using your LastPass credentials?
A: Yes, you can always use your LastPass Credentials to login to your account and gain access to your data.


Users Sub-tab

[accordion openfirst=false scroll=true clicktoclose=false]

This tab provides you with a complete list of all LastPass accounts that have been provisioned under your enterprise, and several actions that can be taken on each:

Security Score - the security score is based on the score generated when the user runs the 'Security Challenge' from his/her vault. The score is only update and/or displayed when the Security Challenge is run.

User Details - this report offers a summary of the user’s account including their general account information, security check score, policies they are subject to, shared folder access and groups they are apart of. You can click on several of these headings in order to see a detailed list pertaining to his/her account including all of the policies that are active on the account and any folders that have been shared or created by the user. Scroll to the bottom of the page and click 'Click to see sites' to see a full, read-only list of all entries stored in the user's account.

Make or Remove Admin – you can promote any number of users to admin status and remove this status at any time. Granting Admin rights means that the individual will have full access to the Admin Console.

Require Password Reset - This will force the user to manually reset their master password.  They will receive the notification to do this the next time the user logs in.

Destroy All Sessions - This will log the user out of all active sessions across all devices - Destroying All Sessions

Reset Password - This option will be available only if the 'Super Admin - Password Reset' policy is enabled and if the user is 'eligible' for reset. For more information, see the 'Super Admin - Password Reset' policy at the bottom of the Policies page.

Disable User - temporarily disable the user's account making it inaccessible to them but not deleting the account entirely.

Delete User and Remove User from Company: At the bottom of the list you see ‘delete user’ or ‘remove user from company’. This is a decision that you should weigh carefully. ‘Delete user’ will delete that user’s account entirely. If the user has saved any personal logins or other data to their vault then they will no longer have access to that data. Some enterprises prefer the ‘Remove user from company’ option which will remove the user from your enterprise account, and will delete all Shared Folders from the user's account. With this option, the user will continue to have access to his/her account as a standard LastPass user.

Whether a user account is deleted, disabled or removed from the Enterprise, this will in no way impact any remaining users. For example, if the departing employee was an administrator of several Shared Folders, these folders will remain 100% available and intact for all remaining users. That said, there is a possibility that the folder will be left with no Admin. To avoid this scenario, you might consider enabling the Super Admin - Shared Folders policy.

As a best practice and an added precaution, we suggest that any shared credentials be changed upon the exit of an employee regardless of how you choose to manage their exit from LastPass. These changes to any Shared Folder will automatically sync to all assigned users, and this will give you an added layer of security.

Disable Multifactor - This will disable all multifactor authentication services for this User's account. If the policy "Prevent Multifactor Disable via Email" is enabled, this option will be the only way for multifactor to be disabled.

SuperAdmin Password Reset:  If an Admin has been set as a Super Admin Password Reset via policy, there will be option on this user actions dialog to change the password for that particular user.  This change will be immediate and the Admin will be asked to create a new password for the account on the spot.

Edit Name - assign a nickname to the account that may be more recognizable to you than the user's email address.


Employee Welcome Emails

[accordion openfirst=false scroll=true clicktoclose=false]

When using the Batch Provisioning option, LastPass will look-up the email to determine if the username is new or existing. Based on the results of that look-up, either of the two emails below will be sent to the end user automatically by LastPass.

Please note that you can modify the following default templates from within the Admin Dashboard by selecting "Yes, send custom email" from within the drop-down menus labeled, "Send Email If Existing User? " and/or "Send Email If New User?"

[accordion-item title= "New User (no existing account under that username) Template" id="h1"]

Welcome to LastPass!

Your company (Company Name) has partnered with LastPass to simplify and secure your online life.

To activate your account, please click here to reset your master password. This is the only password you have to remember, so make it a good one!

Your username is _________
Your temporary password is _________

What is LastPass?

LastPass is a secure password manager that remembers your passwords and logs you in to your online accounts as you work. LastPass will not only generate strong passwords for you and help deter phishing attacks, it will streamline your everyday workflow and save you time by eliminating your password problems.

Check out this 5 minute video tutorial to help you get started.

The LastPass Team

[accordion-item title= "Existing User Template" id="h2"]


Your company has invited you to join LastPass. Since you already have an account, you can:

1. Use your existing LastPass account to join.

Depending on the policies your company enables, your administrator could delete your account at any time. If you want to sign up with your existing account, click this link: Activate Your LastPass Account.

2. Create a new LastPass account for company use only.

If you want to create a new account, click this link: Create a New LastPass Account. After creating your account and logging in, return to this email and click on the following link to complete activation: Activate Your LastPass Account. You can later 'link' your personal account to your company account, but keep your data separate.

URL to join: _______________________________


Your LastPass Administrator


LastPass Active Directory Connector

[accordion openfirst=false scroll=true clicktoclose=false]

The LastPass Active Directory Connector Client is a windows service that is run locally and can be downloaded from the Admin Dashboard. It connects to your Active Directory to support a variety of provisioning and management processes in LastPass. With this service, you can:

  1. Feed relevant information from your user directory into LastPass.

  2. Sync new user profiles to LastPass for automated provisioning of LastPass user accounts.

  3. Sync disabled or deleted user profiles to LastPass for automated termination of LastPass user accounts.

  4. Create nested groups to manage permissions at the group level.

  5. Sync user groups to LastPass for policy designations, Shared Folders, and SAML application assignments.

  6. Apply filters based on your groups so that only members of the relevant groups sync to LastPass.

  7. Provisioning for a number of cloud-based applications including Google Apps and Add the user in AD, and let LastPass take it from there. No local provisioning necessary.

[accordion-item title= "Installing and Configuring the Client" id="h1"]

Recommended Specs

Bandwidth Consumption

Installation Steps

  1. Download the client from the Admin Dashboard -> Users -> Create New User -> LastPass Active Directory Sync Client

  2. Run the MSI installer. Accept the prompts from User Account Control dialogs.

  3. Once installed, the login page will appear. Login in with your LastPass Enterprise administrator login credentials: 

  4. After logging in, you will then be given an overview of each AD Connector sync option available and the settings that are currently in place. This is where you check the health status of the service and the connection as well as enable/disable user sync to LastPass.
    Note: Please make sure that you have set and saved all relevant configuration options before you enable syncing. Starting with partially configured AD Connector may result in unexpected behavior.
    ad sync home tab.

  5. Start by configuring the connection between LastPass and your Active Directory. This is where you can set the details how to connect to your Active Directory.
    ad sync connection tab

    • Specify a domain (e.g.,lpadsync).

    • Specify a particular domain controller to connect to instead of a domain (e.g., lp-adsync-dc01.lpadsync.local)

    • Credentials: you can connect in the name of the current user or use a specific user's credentials.

    • BaseDN: The root node under which all your relevant user and group onjects are located. Be careful when narrowing the scope in AD. For proper operation, all relevant users and their embedding groups must be under the specified BaseDN.

  6. After configuring your connection, click on 'Actions' to configure the Account Provisioning and Deletion options. You can specify what action should be performed when certain events happen to users in the Active Directory. For delete/disable operations we recommend to use the more “lightweight” disable account option instead of delete/remove from company. In case the current settings lead to unwanted actions, these are easier to undo than deleted users.

ad sync action tab

[accordion-item title= "Configure Groups and Filters" id="h2"]

When you are done configuring the 'Actions', click 'Sync' to configure the fields, groups and users that you would like to sync between LastPass and your Active Directory:


When you have completed the configuration, click 'Sync to LastPass'.  The LastPass Client will continually 'listen' for changes in your active directory and continue to add and remove users. The application window can be closed and the app will continue to run in the system tray.


NOTE: Users must have an email address listed in Active Directory in order to sync.



[accordion-item title= "Configure Proxy Settings" id="h3"]

Proxy settings can be configured by per executable, for all .net apps or per user by using IE settings. The UI can use Kerberos auth with the credentials of the currently logged in user (has to be domain user), the service with the credentials of the machine (has to be domain joined). It's not enough to change the settings for just the currently logged in user, because only the UI runs as the currently logged in user and the sync service runs as NT AUTHORITY\SYSTEM.

Validate Proxy Settings

You can use a custom helper script to check connectivity.

  1. Download on target machine: proxydebug

  2. Extract contents to C:\proxydebug or in current user directory C:\users\currentuser\proxydebug

  3. Open an administrator command prompt (windows key, type command, right click, run as administrator)

  4. Navigate to extracted files using cd C:\proxydebug.

  5. Type RunMeAsAdmin.cmd

  6. You should see the text "Testing local user" and "Proxy settings OK/Not OK"

  7. Press a key, and you should see the same text in a new window. ("Testing system user")

  8. If one or both are not ok then the proxy settings need to be changed, see next step.

  9. What does this do? What can I do if I can not download files on the target machine?

  10. Run this powerhsell script in PowerShell ISE to test connectivity. The downloadable script also runs this as NT AUTHORITY\SYSTEM user too

try {

    $f= (New-Object System.Net.WebClient).DownloadString("")

    "LastPass connection OK. Proxy settings OK"

} catch {


    "Proxy or Internet settings NOT OK"


Write-Host "Press any key to exit ..."

cmd /c pause | out-null

IE settings (recommended)

The settings for the IE proxy are by default per user. This means that a user always has the ability to change his own proxy settings.

Use  Admin Proxy Settings

In order to force a specific proxy server for all users on a machine, the proxy settings can be made machine-wide. This means only users with administrative rights can change the proxy settings.

In order to make the proxy settings machine-wide, the following registry key or GPO must be set, and proxy settings configured by running IE as Administrator.  (Open IE? Tools menu ? Connections Tab ? LAN setings)

GPO: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Make proxy settings per-machine (rather than per user)


Run regedit.exe as Administrator.

Create new or set existing registry Key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DWORD: ProxySettingsPerUser = 0

Alternatively the same registry keys can be used as for manually specifying the proxy server, but they have to be set in HKLM instead of HKCU.


Non-Group Policy method

This needs to be done both for the currently logged in user and NT AUTHORITY\SYSTEM (that is the user the service is running as).

For the current user it can be configured in Internet Options. (Open IE? Tools menu ? Connections Tab ? LAN setings)

For SYSTEM: download

From command line execute:

PsExec64.exe -i -u "nt authority\system" "C:\Program Files\Internet Explorer

This allows to run IE as SYSTEM user and make changes to proxy settings.


Alternatively use registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings)

For the local system user, it is more convoluted. The regisrty settings are stored under the path HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings.

It is actually the value in Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings that is used. Since that is not easily modified, you can modify the proxy settings for a user, export the registry key, modify the path in the exported file to HKEY_USERS\S-1-5-18 and reimport it.

Per app settings (not recommended for long term solution, as updates will overwrite)

You need to edit the .config files located under:

C:\Program Files (x86)\LastPass AD Connector

Based on:

.NET Framework settings

Edit machine.config (

You can run this in powershell:


Which outputs this for .net 4:


Note however that this might change depending on whether .net is running as 32 or 64 bit which will result in \Framework\ or \Framework64\ respectively.

These were tested using Fiddler. No proxy server requiring authentication or "real" proxy server was tested.

If you have any problem with the connection to LastPass servers. (or you find a log entry "Server is not operational" message), the try the following:

Open Services and look for ADService. Right click on it and select properties. Like in the picture here:

In the next window click on Log On tab and select This account. Like in the following picture:

Here provide the username and credentials of the user who is logged in on windows. Then click apply.



[accordion-item title="Syncing Group Settings" id="h4"]

In AD Connector you have the option to sync the user membership in different ways. You can find these options on Sync tab as shown in the picture below.

In the following examples the processing of the user's group membership will be explained trough the AD structure as show  here:

So basically the structure looks like this:

There are 3 groups : GROUP A, GROUP B and GROUP C.
GROUP A  doesn't belong to any group. GROUP B is part of GROUP A. GROUP C is part of GROUP B, so it is also part of GROUP A.

There are 3 users: User 1, User 2 and User 3.
User 1 is in GROUP A directly. User 2 is in GROUP B directly and part of GROUP A through GROUP B. User 3 is in GROUP C and therefore part of GROUP B and also GROUP A.

In the AD it looks like this:

The group that is selected after clicking the edit button on sync tab is GROUP A.

When selecting

 - Sync all group membership option

If you select this option the following will be sent to LastPass site:

User 1 is part of GROUP A.
User 2 is part of GROUP A and GROUP B.
User 3 is part of GROUP A, GROUP B and GROUP C.

So GROUP A, GROUP B and GROUP C is created on LastPass site.

 - Use whitelist to filter groups

And GROUP A is selected in the whitelist option.

If you select this option the following will be sent to LastPass site:

User 1 is part of GROUP A.

User 2 is part of GROUP B.

User 3 is not part of any group.

So in this case only GROUP A and GROUP B is created on LastPass site.

- Sync only the groups specified in the Filter users section

If you select this option the following will be sent to LastPass site:

User 1 is part of GROUP A.

User 2 is not part of any group.

User 3 is not part of any group.

So in this case only GROUP A is created on LastPass site.

- Do no sync group membership

If you select this option the following will be sent to LastPass site:

User 1 is not part of any group.

User 2 is not part of any group.

User 3 is not part of any group.

So no group is created on LastPass site.

- Exclude Groups

In this section you can blacklist any group name by regular expression.If there is a match for the given regular expression that the group and groups in the group won't be sent to LastPass site.

In our example:

If you select sync all group membership and in the textbox you use the following regular expression: GROUP A (in this case its the exact name of the GROUP A)

The following will be sent to LastPass site:

User 1 is part of not part of any group.

User 2 is part of GROUP B.

User 3 is part of  GROUP B and GROUP C

So in this case only GROUP B and GROUP C is created on LastPass site.


[accordion-item title="Debug" id="h5"]

The debug tab is where you go to troubleshoot your AD Sync issues.

ad sync debug

Logging options: For troubleshooting you may need to increase log levels or space occupied by log files.

Clear Local Cache: The relevant parts of group and user data is cached locally. Under normal circumstances you are unlikely to need to delete these caches manually. If you had to restore your AD from a backup, the local cache should be cleared.


[accordion-item title="Migrating from the legacy AD/LDAP client to AD Connector" id="h6"]

If you have been running the LastPass AD/LDAP Sync Client, you can follow these steps to transition to the LastPass AD Connector client. With support for nested groups and whitelisting as well as enhanced performance, we recommend the use of our AD Connector for syncing with Active Directory.

To start the transition:

Login to the LastPass AD Sync tool.

  1. Go to configuration and make sure you record the following (you could create a note in the LastPass vault):

    1. On Connection tab, the options selected for "Connection Configuration", "Credentials" and "Base DN".

    2. On Actions tab, all options selected.

    3. On Sync tab, all the options (including the filter group name(s)).

  2. Next, make a backup of C:\ProgramData\LastPass folder, then delete this folder.

  3. Go to Control Panel\Programs\Programs and Features and uninstall the adsync tool.

  4. Install the new AD Connector with the MSI downloaded from the "Directory Integrations" tab in the LastPass admin dashboard.

  5. Log in to the AD Connector with the same LastPass account as you used in the previous AD Sync tool.

    1. On Connection tab, set the same "Connection Configuration", "Credentials" and "Base DN" options that you used previously.

    2. On Actions tab, select all the provisioning and de-provisioning options you used before.

    3. On Sync tab, check the first two options according to your selections in the previous AD sync client. To set the filter group, click on the Edit button where you will see the tree view of your AD group objects. Select the same group(s) specified in the previous AD sync client; you can select any or all groups you want to sync. Note that it is not a text field, so you cannot type or copy-paste the string here.

For user group membership, you have different options with AD Connector. See the explanation in the "Syncing Group Settings" section above.
If you want to sync additional attributes to LastPass for user accounts, you can explicitly type them in the last field separated with a comma sign.

As a last step, go to the Home tab and check the Enable sync checkbox, and synchronization of your AD will begin.

[accordion-item title="Active Directory FAQs" id="h7"]

Do I need a designated admin account used for AD Sync?

There is no need for such account. You only need to enter your credentials on LastPass AD Sync Configuration window to authenticate your right as an admin to modify the configuration. The actual syncing authentication takes place using a token that is handled separately. It is not bound to the account you used to setup the configuration in any way.

If I add a new person to my AD directory, how will that update in LP and how often does it check for changes? 

Once started, the AD sync client will register itself with your AD server.  When a change occurs, such as when a user is added, updated, or deleted, then the sync client will immediately re-check for changes.

If I had previous users not added via AD, what happens to those users?

And any previous users that were added (manually or via another provisioning tool),  will be cross-checked with what is listed in AD. If the user is not listed in AD, the sync client will ignore the existing users. If the user is listed and there are any changes (ex: disabled), the client will update the account in LastPass with the changes it finds in AD.

Can I manually sync, automatically sync AD, both?

Both.  To automatically sync, simply leave the AD sync client running and it will detect changes and sync when needed.  To manually sync changes, simply start the AD sync client on an as-needed basis.

Does it work with other LDAP directories?

No, the beta client does not.  However, the legacy client does.

I have thousands of names in my AD, will it time out while sending to LastPass?

The AD sync client has been successfully tested with AD servers having more than 10,000 users.

If I have admin accounts built into our AD directory how do I make sure that they don't import into LastPass?

You can control what users are imported in two ways:

a) By specifying a sync filter within the AD sync client to include only certain groups.


b) By specifying within the AD sync client that users be added as 'pending' and then later having an admin manually approve users from within the Enterprise Administration dashboard.

How do I keep the name of the group from my AD directory in line with the LastPass groups?

On the AD sync client configuration screen, there is an option labeled 'Sync user groups from AD' that can be enabled.

AD provisioning didn't work, what do I do?

Find the debug log as indicated here and attach the log file to the ticket for us to investigate.

Do groups sync and work with Shared Folders, or just policies?

Yes, groups can be mapped to both Shared Folders and policies. When a new user is added to a group, all policies and folders already assigned to the group will be automatically assigned to the new user. The folder will become available to the new user as soon as there is login activity by another sharee.

Is any functionality of grouping lost when syncing them via AD?

No, the functionality is still available.

Does Active Directory Sync run as a service?

Yes. Once you setup and run the AD Connector client it will run as a persistent service. If you restart your computer, the AD Sync client will automatically restart on reboot.

What exactly is accessed and how is it transferred?

Username, name, group membership, email and account status, it's transferred via SSL to LastPass.

Will accounts created without AD sync be affected by the sync client?

No, accounts created via other means will not be synced with the client except for groups created by the AD.

The domain we log into is different than our email address. Will users be able to log into LastPass using their AD credentials?

No - we create accounts based on the value stored as their email address in AD.

How I can make sure AD passwords and LastPass master passwords are in sync?

See this FAQ here:

I'm having issues with the client, is there a debug I can send you?

Yes you can. The client will generally produce a debug automatically, and can be found by following the steps here



LastPass Provisioning API

[accordion openfirst=false scroll=true clicktoclose=false]

LastPass exposes a public API that can be used by enterprise accounts to create users, deprovision users, and manage groups.

We are often asked about the difference between the AD Sync Client and the API. The main difference is that unlike the API, the AD Sync Client requires 0 coding/integration. The API is more powerful, but requires some integration by you to avoid having to duplicate actions.

Out of the box, the AD Sync Client will automatically track changes to your AD/LDAP server (new user is added, existing user removed/disabled, user changes groups, etc.) and invoke appropriate actions for LastPass accounts. Similarly if you delete or disable a user in their AD, the associated LastPass account will also be disabled.  These functions are also supported using the API, however they require integration on your part.

For a full list of the API details and instructions, please go to the:  Enterprise Console > Setup > Create New Users > LastPass Provisioning API option.

If you would like to use the API to automatically add users to shared folders, you will need to perform encryption operations yourself. Thus, you will need to know some things about the underlying encryption operations LastPass uses. They will be documented below.

[accordion-item title= "Adding a User" id="h1"]


The first step is adding the user. You must first choose the number of PBKDF2 iterations you plan to use. LastPass currently recommends 5000 as a balance between security and performance.

Once you have the username, password, and iterations you plan to use, you can first calculate the user's encryption key. It is generated using PBKDF2-HMAC-SHA256, using the username as the salt. Here is an example using the OpenSSL PKCS5_PBKDF2_HMAC() function (please note that the username and password should be UTF-8 encoded):

const unsigned char *username = "";
const char *password = "T5O89kkUMGYT";
int iterations = 5000;
unsigned char key[32];
PKCS5_PBKDF2_HMAC(password, strlen(password), username, strlen(username), iterations, EVP_sha256(), 32, key);

If this function call succeeds, the user's encryption key will be present in the variable "key".

Now that you have the user's encryption key, you can use it to generate the user's password hash. This is the hash that's passed to the adduser API as parameter passwordhash. Here is an example, continuing from the above:

unsigned char hash[32];
PKCS5_PBKDF2_HMAC(key, 32, password, strlen(password), 1, EVP_sha256(), 32, hash);

If this function call succeeds, the user's password hash will be present in the variable "hash". Please note that you should hex-encode the hash before passing it to LastPass. Thus, passwordhash should always be 64 hexadecimal characters.


[accordion-item title= "Generating RSA Keys" id="h2"]


In order to immediately add the user to shared folders, you will also have to pass rsapublickey and rsaprivatekeyenc to the adduser command.

First, generate an RSA public/private key pair. This key must be 2048 bits.

Next, encode the public key in ASN.1 DER format. Then, hex-encode it. This is the value for rsapublickey that will be passed to LastPass. Click here to see an example of a valid rsapublickey.

Next, encode the private key in ASN.1 DER format. Then, hex-encode it. This is the value for rsaprivatekey that you will have to encrypt with the user's encryption key before passing it to LastPass. Click here to see an example of a valid rsaprivatekey.

Next, encrypt the rsaprivatekey using the user's encryption key. First, prepend "LastPassPrivateKey<" and append ">LastPassPrivateKey" to the rsaprivatekey. Then, encrypt via AES-CBC, using the first 16 characters of the user's encryption key as the IV. Pad via PKCS#7. Hex-encode the result to create rsaprivatekeyenc, which can then be passed to LastPass.

Once you have the passwordhash, rsapublickey, and rsaprivatekeyenc, you should be able to perform an adduser API call.


[accordion-item title= "Adding a User to a Shared Folder" id="h3"]


Now that you have created a user with valid RSA keys, you will be able to use the addusertosharedfolder API to add them to a shared folder.

First, retrieve the ID and encryption key for the shared folder you would like to add the user to. Click here to see these values for the shared folders you are in.

Next, you must encrypt the shared folder's encryption key with the user's RSA public key, first padding with OAEP. Hex-encode the result, which should end up being 512 hexadecimal bytes since you're using a 2048-bit RSA key. The result is what you should pass to LastPass as sharekey.

Next, you must encrypt the shared folder's name using the shared folder's encryption key. Be sure to encrypt the full name, including the "Shared-" prefix. For example, if your shared folder is named "LP", encrypt the string "Shared-LP". Use AES-ECB for this step, pad via PKCS#7, and base64-encode the result. The result is what you should pass to LastPass as sharename.

Once you have shareid, sharekey, and sharename, you should be able to perform an addusertosharedfolder API call.




[accordion openfirst=true scroll=true clicktoclose=false]

Groups can be utilized to assign policies and/or Shared Folders. From the 'User Groups' sub-tab you are able to create user groups manually within LastPass Enterprise. Alternatively, for those that have elected to use the LastPass AD client, the client can be configured to sync user groups automatically from your active directory.

To manually create a new group simply hit Add Group and type in the name of the Group, for example, 'Executive Team' or 'Marketing'. Then simply type in the username of the appropriate employees, and hit 'Save'. Once the group has been saved, you can jump to either policies or Shared Folders, and assign either to the group accordingly.






Shared Folders

[accordion openfirst=false scroll=true clicktoclose=true]

A Shared Folder is a special folder in your vault that you can use to securely and easily share sites and notes with other people in your Enterprise. Changes to the Shared Folder are synchronized automatically to everyone with whom the folder has been shared. Different access controls – such as 'Hide Passwords' - can be set on a person-by-person basis or in the form of policies.  Shared Folders use the same technology to encrypt and decrypt data that a regular LastPass account uses, but are designed to accommodate multiple users for the same folder.

With Shared Folders:

[accordion-item title="Options for managing Shared Folders" color="Accent-Color" id="h2"]

Once a folder is created and populated by the folder Admin, there are three different ways in which the folder can be assigned out to additional users:

  1. The folder Admin assigns and manages the folder manually. In this scenario, from his/her vault the folder admin (for example, the division manager) can add and remove users, and edit user permissions on an individual by individual basis.

  2. Automate all folder assignments through the user group assignments in AD. The creator of the folder simply assigns the folder to the appropriate user group from the existing AD groups. Once this mapping is completed, the AD Sync Client will manage all user additions and removals for you based on any relevant changes in AD.

  3. Centralize the management function and have a dedicated person managing the groups manually through the Admin dashboard. In this case, the designated individual would need to be a LastPass Admin. Using the 'Groups' function in the Admin dashboard, the Admin could add and delete users to groups, which would then map back to the relevant Shared Folders. The creator of the folder simply assigns the folder to the appropriate user group.  In this scenario, you would typically publish the point of contact on your LastPass wiki page or internal FAQs so that users would know to whom they should direct a change request.


[accordion-item title="Limitations of Shared Folders" color="Accent-Color" id="h3"]

The current limitations of Shared Folders are:

** The Pre-Create Sharing Key policy functions by creating a random password, a random sharing key, encrypting the sharing key with the password, and emailing the password to the user. This information is then flushed from our servers. Users are then required to change this password immediately on their first log in. This information is then flushed from our servers. It is less than perfectly secure as it requires you to trust us, so you are welcome to wait on creating sharing keys by having the user log into their account.

[accordion-item title="Create Shared Folders" color="Accent-Color" id="h4"]

There are two main ways to create a Shared Folder: 1) Create a new one from scratch, and 2) convert an existing Folder into a Shared Folder.
[tab title="Create a Shared Folder"]

  1. Navigate to the Manage Shared Folders tab in the Sharing Center.

  2. Click on Add Shared Folder.

  3. Give the Shared Folder a name and click Create.

[tab title="Convert to a Shared Folder"]

  1. Right click the folder you would like to convert to bring up more options.

  2. Choose Share in the list.

  3. In the resulting window, change or confirm the name of the Shared Folder.

  4. Click Create.

[accordion-item title="Edit Permissions" color="Accent-Color" id="h6"]

With each user or group, you have several additional choices regarding access via the radio buttons next to each users name and when you initially add the user or group to the folder:

Once you have made these selections, hit ‘Share’ and the user will be added to the list of assigned users with the permissions that you designated.


Multiple Permissions


If a user is added to a Shared Folder multiple times via groups, the most restrictive permissions will apply to their access. If they are added multiple times but are added to the Shared Folder individually, the permissions established from the individual share will be reflected. Below are tables to to highlight different scenarios:

In each scenario, the user is a part of two groups: A and B.


Scenario 1:

User/User Group Can Administer Read-Only Hide Password
A Yes No No
B No Yes

Permissions = user can edit sites, view passwords but cannot add/edit users in the Shared Folder


Scenario 2:

User/User Group Can Administer Read-Only Hide Password
A No Yes Yes
B Yes No No

Permissions = user cannot edit sites, view passwords nor edit users in the Shared Folder.


Scenario 3:

User/User Group Can Administer Read-Only Hide Password
A No Yes Yes
B No No No Yes No

Permissions = user can edit/add users, edit sites, and view passwords. Note that in this scenario, the user's permissions ignore permissions made in groups A and B and only take into account permissions set for the user when they are added individually.

[accordion-item title="Restrict and Remove" color="Accent-Color" id="h7"]

Next to each user’s name you will see the ‘Restrict’ and ‘Remove’ options.



Now that the folder has been created and is in your Vault, you can proceed to populate the folder with sites and Secure Notes via several methods:


[accordion-item title="Adding Users to Shared Folders" color="Accent-Color" id="h8"]

You can add users to Shared Folders using User Groups.   This is a quick and easy way to add pre-made groups of users to Shared Folders.  User groups are added to Shared Folders just like individuals; the groups are created in the Admin dashboard and available in the dropdown list of users when you create or edit a Shared Folder.  You can set 'Read-only', 'Hidden Passwords', and 'Can Administer' access once for the entire group.  You can also restrict what sites the group can view just like you can for an individual user.  When adding groups to Shared Folders, there are a few things to keep in mind to avoid conflicts:


Important note:


[accordion-item title="Active Directory Synced Groups and Shared Folders" color="Accent-Color" id="h9"]

You can use  the LastPass Active Directory Synchronization Service to automatically provision and sync users and user groups from your Active Directory into your LastPass Enterprise. LastPass also recommends provisioning users with our simple LastPass Provisioning API.

Please see the video below to learn more about Enterprise Shared Folders: click here.

To view a brief screencast regarding the benefits and use cases for Shared Folders, click here. For complete video instructions, click here.


Shared Folders with Users Outside your Enterprise

[accordion openfirst=true scroll=true clicktoclose=true]

LastPass supports sharing Shared Folders with users outside of your Enterprise system.  You can share any Shared Folder with up to five users that are not in your Enterprise.  These users can be free, premium, or in another Enterprise.  The only limit is that the maximum of outside users that can be added per folder is five.

To add an outside user to a Shared Folder, do the following:

  1. Go to your Manage Shared Folders link in your Vault as you normally would.

  2. Type in the email address of the user you would like to add and click 'Share.'

  3. The outside user will appear in your list of users and the user will receive an email invitation to accept the shared folder.

  4. Once accepted, the user will be added to the Shared Folder.

  5. Restrict what sites they see and change permissions as appropriate.

If you run into the error:  "An Error occurred - Cannot retrieve any public keys. The user may need a sharing key to be created." This means that the user you are trying to share with does not have a sharing key. To obtain the sharing key, the user must log into the LastPass Extension at least once.



[accordion openfirst=false scroll=true clicktoclose=true]

LastPass offers extensive reporting to help you safeguard your organization's data and build compliance. Available in the admin dashboard, the Reports tab offers admins with an audit trail that can also be exported to be shared with key stakeholders as-needed. Reporting includes:

[accordion-item title="User Activity" id="h1"]

The user activity tab provides a comprehensive log of every login event, update to passwords or usernames, completed forms, and deleted sites by your LastPass Enterprise users. The logs include attempted (like failed login attempts) and completed actions. The reports can be filtered by date range, or by user, and can be exported to Excel for back up or sharing with others.  There is a link on the page to a key explaining what each action designation means.

Reporting policies

By default, reporting events for individual sites will only show the site's domain (e.g. will only show as When reporting events for a secure note, the log will only show "Secure Note". By default, additional details such as the username are never sent to LastPass in an unencrypted format.

However, if your company needs additional levels of detail, the following policies can be enabled in the Policies tab in the admin dashboard:

If all 3 polices are enabled, the output would look like the following: ( (Customer Support Salesforce login) from Support Logins

[accordion-item title="Shared Folders Reporting" id="h2"]

This report offers a master view of every Shared Folder created under the Enterprise. You can click on the column headings to sort alphabetically or by user. You can drill down on each folder to see the particular sites and notes that are contained within, as well as all assigned users and the specific access rights granted to each (ie: hidden or visible access to the credentials, admin rights, read-only/write.)

This report is read only. To guarantee Admin access to every Shared Folder created within the enterprise - including the login credentials of the stored entries, you must enable the 'Super Admin - Shared Folders' policy.

[tabbed_section][tab title="Top Level View" id="t1"]


[tab title="Individual Shared Folder View" id="t2"]


[accordion-item title="Admin Activity" id="h3"]

The Admin Activity Report provides a detailed breakdown of all administrative actions taken via the Admin dashboard.

Report Functions

The full list of messages and their meanings can be found here.

[accordion-item title="Security Report" id="h4"]

The Security Report is a summary of various critical user statuses around which additional education or training may be warranted. These statuses include such criteria as 'inactive user', 'over 3 duplicate passwords' and 'over 5 weak passwords'.  You can set up which notifications you would like to see on this page under the Add Notifications link.   The goal of this report is to help optimize the use of LastPass among your end users to help improve the security of your company's digital assets. This report is your first line of defense in the campaign to educate users on the importance of good password hygiene, and how to get there.

The Security Report also syncs with the Notifications email templates, which are quick and easy email templates that can be programmed by the admin to dispatch automatically on a configurable time-frame.


[accordion-item title="Splunk Integration Reporting" id="h5"]

Take advantage of your existing Splunk account with the LastPass integration. With the Splunk integration in LastPass Enterprise it’s even easier for your IT team to collect data and manage reports in one central location -- your Splunk Cloud account. To take advantage of this integration, you need a running Splunk Cloud instance with a configured Data Input as HTTP Event Collector.

All available reporting events, such as logins, password changes, form fill attempts, etc. will be passed to Splunk Cloud, where you can then create custom reports using that data. This allows you to use the advanced functionality of Splunk to access and report on your LastPass Enterprise activity.

Once you have a Splunk Cloud account, you can setup the integration between LastPass and Splunk. To do so, log into your admin dashboard and click Setup from the left-hand menu, then select Splunk Integration. On that page, paste the URL and token for the Data Inputs (obtained from your Splunk account) into the designated fields.


The integration will take no more than 24 hours to complete, and it’s likely it will take much less time. Once the raw data is received into Splunk from LastPass, you will be able to create and define new reports using LastPass event data.



Login Reports

Shared Folders

Admin Events



[accordion openfirst=true scroll=true clicktoclose=false]

The Settings area of the Admin dashboard contains many of the tools that you will need to implement LastPass and control your user's actions.


[accordion openfirst=false scroll=true clicktoclose=true]

LastPass offers a number of configurable policies around security levels and password strength. Each policy can be applied to all users, or an inclusive or exclusive list of users. For example, you might elect to implement a policy that will prohibit the general workforce from exporting data, while your senior executives are exempt. There are a number of important policy options on this tab. You should consider them carefully. Click here for a full list of LastPass Enterprise policies (note you must be logged in with an active LastPass Enterprise account to view the list).

With over 100 policies available, finding the right balance for your organization is crucial. In a recent webinar, one of our Customer Success Managers shared her insider tips and best practices. Watch the recording here:

[accordion-item title="Adding Policies" id="h0"]

Click on the 'Add Policy' button in your Settings > Policies menu to create a new policy on your Enterprise Account (see screen shot below). Select your inclusive or exclusive group of users, or leave blank. And fill in the 'Value' and 'Notes' fields where applicable. By hitting save, the policy will be activated immediately:


Full list of policies

[accordion openfirst=false scroll=true clicktoclose=true]

LastPass offers a number of configurable policies around security levels and password strength. Each policy can be applied to all users, or an inclusive or exclusive list of users. For example, you might elect to implement a policy that will prohibit the general workforce from exporting data, while your senior executives are exempt. There are a number of important policy options on this tab. You should consider them carefully. Click here for a full list of LastPass Enterprise policies (note you must be logged in with an active LastPass Enterprise account to view the list).

[accordion-item title="Adding Policies" id="h0"]

Click on the 'Add Policy' button in your Settings > Policies menu to create a new policy on your Enterprise Account (see screen shot below). Select your inclusive or exclusive group of users, or leave blank. And fill in the 'Value' and 'Notes' fields where applicable. By hitting save, the policy will be activated immediately:


Install Software

[accordion openfirst=false scroll=true clicktoclose=true]

LastPass Enterprise provides various installation options and parameters including:

Installing LastPass

  1. To install LastPass for your organization, go to the Install Software page in the Admin Dashboard. It can be found under Setting (

  2. Verify the configurations you need for the installation:
    install software

  3. Once the configuration has been identified, steps customized for your install will appear. For example, below are some of the steps for the configuration for a silent installation on Windows without Windows Login Integration:
    silent install without WLI

  4. [/accordion]

    Policies Tab

    Other Enterprise Policy Options

    Create New User

    Install Software

    LastPass Single Sign-on for Applications

    [accordion openfirst=false scroll=true clicktoclose=true]

    LastPass Single Sign-on allows you to utilize your LastPass account as the single sign on point for a growing number of domains and associated services.

    LastPass Single Sign-on uses SAML 2.0 to allow your employees to access their favorite services simply by being logged into LastPass.  Once logged into LastPass, and navigating to the service's URL,  the user will bypass the login screen altogether. The authentication will take place on the back end between LastPass (the Identity provider) and the desired application (the Service Provider). All access rights will be managed centrally by your LastPass Administrators through the Admin dashboard.

    ***Please note: Using SAML does not prevent you from logging into the same service using your previous username and password, which includes logging into the service using a mobile device.***

    [accordion-item title="Setting up SAML in LastPass Enterprise" color="Accent-Color" id="h1"]

    To set up SAML in LastPass Enterprise, first go to your Enterprise dashboard, and select the SSO entry in the menu along the left side of the dashboard. The heading should expand a drop-down menu with the options SAML, SAML Usermap, and SAML Provisioning.

    SAML: Select this to review pre-populated templates for many common SAML Service Providers, and to find the option to add a Custom Servic for any other SAML 2.0 Service Provider that doesn't already have a template.

    SAML Usermap: Select this to add entries for users whose SAML service provider account's username is not the same as their LastPass account's username.

    SAML Provisioning: Select this to review the SAML services that currently support SAML-based provisioning.


    When setting up SAML ensure that your users will no longer need to enter any other credentials after logging into LastPass. In some cases, they may need to go to a specific URL for an automatic login for the service to be possible.   For example, while mapping SAML for Google app services, users may need to navigate to a specific URL on the domain.  Setting up SAML will give you the specific URLs that you may need to use; depending on the service you're using.  Once you have established which URL you need, you can push to all users.  To learn more about pushing a site to your users and pre-populating their Vaults, please see our specific Push Sites to Users page.

    After using the initial set up instructions, you can then go to the SAML usermap option for the particular app you're setting up.  From this page, you are able to map the application username to the LastPass usernames of your users:


    [accordion-item title="SAML Templates" color="Accent-Color" id="h2"]

    We are working to additional templates for LastPass' SAML Identity Provider all the time.  If you currently use a service that supports SAML 2.0, but that doesn't already have a template, you can add that service by creating a Custom Service.  If you would like our team to add a template for that service, let us know by sending feedback through our support channels and we can add it to our list of templates.

    Adobe Sign GitLab PHPBB
    ADP Google Apps Onit
    Akamai GoToAssist Qubole
    Amazon Web Services GoToMeeting Replicon
    Asana GoToTraining Rescue by LogMeIn
    Box GoToWebinar Replicon
    Bugcrowd Jenkins RingCentral
    CenturyLink Jira SalesForce
    Certify Join.Me Samanage
    Cisco Meraki Joomla Servicenow
    Cisco Webex Kayako Shibboleth
    Citrix ShareFile Lessonly Slack
    CloudPassage LogMeIn Smartsheet
    Concur Lucidchart Splunk
    Confluence Mantis Bug Tracker Success Factors
    DocuSign MS Office 365 Uservoice
    Dropbox MoinMoin VictorOps
    Drupal NetSuite WordPress
    Egnyte New Relic Workday
    Expensify Onit Yammer
    Freshservice OpenVoice Zendesk
    GitHub Enterprise Pagerduty Zoho


    [accordion-item title="SAML Provisioning" color="Accent-Color" id="h3"]

    LastPass can automatically manage user accounts for some services. When a user first tries to log into a supported service through SAML, LastPass will create (provision) the account at the service provider. Likewise, when a user is deleted from the LastPass user database, LastPass can remove (deprovision) that account from the service, if the service supports it.

    These services support automatic SAML-based provisioning:

    • Amazon Web Services

    • Box

    • Confluence

    • Google Apps

    • Jira

    • Joomla

    • Salesforce

    • Slack

    • WordPress

    • Zendesk



    Advanced Options

    [accordion openfirst=true scroll=true clicktoclose=true]

    The Advanced Options of the menu along the left side of Admin dashboard contains advanced tools and options to further customize your Enterprise and user experience.

      • Push Sites to Users - This tool allows you to push sites or URLs into the LastPass accounts of one or more users within your company.

      • Provisioning API - allows you to create new users, delete/disable existing users, manage user groups, push sites to users, pull reporting data, and view license utilization, via a simple REST web service interface.

      • Enterprise Options - enable and manage options such as Equivalent Domains, Never URLs, and Only URL Rules for the Enterprise, as well as Splunk Integration, Enabling Multifactor Options, etc.

      • User Roles - customize admin roles.
      • Trusted Mobile Devices - allows Admins to enable/disable users' mobile devices; allowing/preventing those devices to/from logging into the users' Enterprise accounts.

      • URL Rules - where Admins can add URL rules for the Enterprise.


    User Roles

    [accordion openfirst=false scroll=true clicktoclose=true]

    From IT service companies to marketing agencies, businesses of all types need to ensure access to sensitive company data is secure and appropriate. With customizable, role-based permissions in LastPass, you can give users just the right level of access to do their job, and nothing more. Employees can be productive, while company data is more secure.

    LastPass includes four types of roles – users, helpdesk admin, admin, and super admin – each with specific functionality so you can give appropriate levels of access to LastPass. The helpdesk admin is a customizable role, so you can choose what is appropriate for IT helpdesk staff in your organization. For example, designate the helpdesk admin role to IT team members that handle day-to-day internal support tickets on passwords, without giving them access to all of the privileged information in your LastPass Enterprise account. Or, select key team members to be admins so they can set security policies and provision new users as needed.

    Overview of LastPass roles:


    These are individual account holders – employees – who only have access to their personal vault and folders shared with them.

    • Access to their own vault

    • Feature usage and access limited by policies through LastPass

    Helpdesk Admin

    The least-privileged admin tasked with day-to-day management of LastPass and supporting employees with their IT questions.

    • Resend an invitation

    • Disable multifactor authentication • Require master password change • Kill a user’s sessions

    • Add or disable a user

    • Add or remove groups


    These are your IT managers and team leads that have access to all areas of the admin dashboard for ability to deploy, configure, and manage LastPass, such as user provisioning, policy setting, and more. Be sure to protect admin LastPass accounts with MFA.

    All permissions of the helpdesk admin, plus:

    • Access to all areas of the admin dashboard • Enable or disable policies

    • Add or remove users

    Super Admin

    You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for crisis scenarios.

    All permissions of an admin, plus:

    • Master password reset on any user’s vault

    • Access to all shared folders across the company

    Configuring a custom admin

    LastPass Enterprise admins can create as many custom admin roles as needed.

    1. Launch the admin dashboard from the LastPass extension, the vault, or

    2. Under "Advanced Options", click "Roles".

    3. Designate a Name for the new role.

    4. Enter a description of the new role's purpose or permissions.

    5. Use the check boxes to select which permissions should be available to the new role.

    6. Click save.

    7. In the Users tab, assign the role to any new users as-needed.


    Other Enterprise Options

    [accordion openfirst=false scroll=true clicktoclose=true]

    On the Policies tab of the Admin Dashboard, there are links to Manage Policies and  to Other Enterprise Options.  Other Enterprise Options takes you to a page containing NEVER URLS and Equivalent Domain options.

    [accordion-item title="Global Never URLs, Global Only URLs" id="h0"]

    Global Never URLs and Global Only URLs enable you to create whitelists and blacklists of URLs upon which you do or do not want LastPass to be enabled.

    If there is a certain, select group of URLs upon which you do not want LastPass prompts enabled, you should enter these domains under the 'Global Never URL' box.

    If you want to disable LastPass prompts altogether with the exception of just a select group of domains, then you should enter these domains under the 'Global Only URL' box. We do not recommend using Only URLs unless you have a very limited use case in mind.

    [accordion-item title="Creating Equivalent Domains" id="h1"]

    You can also create ‘equivalent domains’. Equivalent domains allow you to manage a single login for different domains that are related. An example is Google and YouTube. Since they are both owned by the same company, your login works on both sites. So rather than having the same login saved twice, you can have it saved for one and we will treat both domains equivalently.

    [accordion-item title="Master Passwords" id="h2"]

    Here you can view your user list and their master password change information, including the last time they changed their master password, logging all users out of their current sessions (the destroy all sessions option), or require a password change on the users' next login.

    [accordion-item title="SAML Initialization" id="h3"]

    Here you can view your current SAML initialization status.

    [accordion-item title="DUO Security" id="h4"]

    This is where you would enter the necessary information from your DUO Security console home page into LastPass to enable DUO Security for your Enterprise's users.

    [accordion-item title="Splunk Integration" id="h5"]

    Here you can enter Splunk Instance Token and URL to be used with Splunk Integration.

    [accordion-item title="RSA SecurID" id="h6"]

    The steps here assist you in setting up RSA SecurID authentication via RADIUS.

    [accordion-item title="Symantec VIP" id="h7"]

    This is where you provide LastPass with your certificate for Symantec VIP authentication.

    [accordion-item title="SecureAuth" id="h8"]

    This is where you provide LastPass with your SecureAuth application ID, application key, and realm.


    Push Sites to Users

    [accordion openfirst=false scroll=true clicktoclose=true]

    LastPass Enterprise Admins have the option to directly place a site in a user's vault through our Push Sites to User feature.  This feature is helpful when you would like to pre-populate a site in a user's vault so the user will have this site automatically added to his or her Vault during their first login to LastPass.  Push Sites to Users is also helpful when used to push SAML specific URLs to services you have linked to your Enterprise to using LastPass SAML.

    Admins should note that Push Sites to Users is a much different feature than Shared Folders.  Push Sites to users places the site entry directly into a user's vault, rather than in a central folder accessible to all, as with Shared Folders.  Once pushed, a site cannot be removed from a user's vault by the Admin, as it is in the individual's vault like any other site entry the user may have saved.  When considering which sites to push to users, please remember that you cannot remove this site at a later time.

    Another unique aspect of Pushed Sites is that due to how the technology behind pushing sites works, any data you elect to push to your users is accessible on LastPass servers in unencrypted form until the data is pushed to a user.  Once pushed to a user, the data will leave the LastPass server and be encrypted in the user's individual vault.  This is NOT the case with Persistent Pushes, which will stay on the LastPass server until deactivated or deleted.  For more information on Persistent Pushes please see below.

    Please note that the user that is receiving the Pushed Site must log in using a browser extension at least once, to receive the Site. If the user logs into the Web Vault, the Site will not be pushed.

    [accordion-item title="How to push sites to your users" color="Accent-Color" id="h1"]

    To push sites to your users, first login to your Enterprise Admin Console, and select the Advanced Options entry in the menu along the left side.  From there, you will see a sub-heading for Push Sites to Users.  After clicking the sub-heading, you will see a menu specifying the information to fill out when pushing sites to users:

    The first option you have when pushing sites to users is to upload a CSV file containing the relevant site and username data that you'd like to push.  To download a sample CSV and learn the format and information needed to do this, use the Sample CSV file provided on the menu.

    To manually add custom fields to a site pushed via CSV, you can follow this format:


    This will yield a text field with the name usernamefield and the value newuser, and a password field with the name pwfield and the value abc123

    The second option to use is to manually fill out the site data that you'd like to push to your users.  To do this, you need to fill out the following key information:

    1. User(s):  Select the User or User Groups you'd like to push the site to.  You can also select to push to All current and future users in the Enterprise, or all current and future members of a User Group.

    2. URL: The URL of the site entry that you'd like to push

    3. Name: The name you would like the site entry to have in the users' vaults

    4. Folder: The name of the folder you'd like this site to be added under in the users' vaults

    5. Username: The username the users will utilize to login to the site.  You can select to have this be the individual's full email address that is used as their LastPass account name, ONLY the username portion of their email, OR a custom username you manually enter

    6. Password: The password that will be used to login to the individual site

    7. Notes: Any notes that you would like to be entered into the notes portion of the site entry

    8. Favorite:  Designate whether or not you'd like this site to be marked as a Favorite in users' vaults

    Once you are have filled out this relevant information, you can now push the site to your user(s)! To receive the item, users must have logged out and back in via the plugin at least once.


    [accordion-item title="Persistent Site Pushes" color="Accent-Color" id="h2"]

    Persistent site pushes are when you have elected to push a site to a group of users or All users.  LastPass will keep this site information on our servers and push the Site to any new users that are added to the User Group or your Enterprise at large (in the case of the All option).  This will occur until you manually delete or deactivate the persistent push.  When you elect to use a persistent push, this means the data is accessible to LastPass.  Due to how pushing sites works, this data is not in its encrypted form when waiting to be pushed.  Only upon entering the Vault will the data become encrypted using the users' encryption keys. You can remove or delete persistent shares by viewing your previously pushed sites.


    [accordion-item title="Previously Pushed Sites" color="Accent-Color" id="h3"]

    At the top of the Push Sites to Users page is a link to view a log of previously pushed sites.  This link takes you to a view of ALL previously pushed sites.  This is where you can deactivate or remove persistent pushes.


    This page shows the name of the pushed site, which users or user groups it was pushed to, whether or not it was persistent, and whether or not the push is still active.  You can take three actions on this page regarding the previously pushed sites:

    1. Details: Viewing Details shows the individual users that had the site pushed to them.

    2. Deactivate: Selecting Deactivate prevents persistent pushes from being pushed to new users.  This effectively turns the persistent push "off."  Sites can be re-activated at a later time to be "re-pushed" to any new users that have been added since the push was deactivated.

    3. Delete:  This permanently deletes the pushed site from the system.  PLEASE NOTE: This will not remove the site entry from the individuals' vaults, but only the push from the LastPass servers.

    If you have any more questions on pushing sites to users, please contact our support team for more information.


    Multifactor Authentication

    [accordion openfirst=false scroll=true clicktoclose=false]

    Multifactor authentication refers to a device that can be enabled for use with your LastPass account and requires a second step before you can gain access to your account. You can set up Policies to require multifactor authentication for your Enterprise users. Multifactor authentication devices help protect your account from keyloggers and other threats - even if your Master Password were captured, someone would be unable to gain access to your account without this second form of authentication. LastPass offers several multifactor options for your Enterprise account, including:[wc_row][wc_column size="one-half" position="first"]

    LastPass Authenticator

    Google Authenticator


    Toopher Authentication


    Duo Security Authentication

    Sesame Multifactor Authentication


    RSA SecurID


    Yubikey Multifactor Authentication  


    Symantec VIP


    Transakt Authentication


    Terminating User Accounts from Your Enterprise

    [accordion openfirst=false scroll=true clicktoclose=true]

    There are several termination/removal options available to your LastPass Administrator. Please consider your options carefully prior to deleting or removing users. These actions can be performed from the Users tab in the Admin Console using the Actions column, or can be automated using Directory Integrations. There are three main termination options:

    [tab title="Disable User"]

    Disabling a user in your Enterprise puts a lock on the account. No one - not even your LastPass administrator - can log in to the account regardless of passwords or previous access.  Once disabled, the license will be available for reassignment.

    [tab title="Remove User From Company"]

    Removing a user from your Enterprise will disassociate (spin out) that user's account from your company account. With this action, all Shared Folder data will be revoked immediately. LastPass will also prompt if you would like to "Delete Shares" or "Do Not Delete Shares". Selecting to "Delete shares" will delete all sites within the account that have been shared to the user from other users in the Enterprise outside of Shared Folders. The account will otherwise still be fully available for use by this user, including all data that has been stored in the user's vault. Once removed, the license will be available for reassignment.

    [tab title="Delete User"]

    Deleting an account FULLY DELETES ALL CONTENTS in the account. Any data stored within the account will be gone forever. Once deleted, the license will be available for reassignment.


    ***Please note that all LastPass Enterprise licenses are transferable once an account is disabled, removed, or deleted.***

    [accordion-item title= "Resetting a User's Master Password" id="h4"]

    This option is only available if the Super Admin - Password Reset policy is in place. From the Admin Console, the Admin of the Enterprise can reset the master password on the account. This option can be leveraged under the following scenarios:

    (1) You would like to lock-out the owner of the account, but still allow Admin access. This can be helpful for audit purposes; in order to update and/or terminate any credentials to which the end user had access.

    (2) If you would like to assign the entire account - with all of its contents - to another employee.

    [accordion-item title= "Important Considerations" id="h5"]

    • Ensuring that sites/tools are no longer accessible by the employee: If the account owner created any passwords in his vault, or if any credentials were shared visibly with him, then it is quite possible that he has stored this information elsewhere and could access these tools again in the future (outside of LastPass). In order to avoid any doubt, we therefore recommend updating all passwords when an employee account is terminated.

    • Once terminated (disabled, deleted or removed), any data that the account owner has placed in a Shared Folder will remain fully intact for remaining users.

    • In the case of Shared Folders, while you are never at risk of deleting the shared credentials, you are at risk of finding yourself with no remaining Admin on the folder (if the former account owner was the sole folder Admin). If this is a concern, you should consider enabling the ‘Super Admin – Shared Folders’ policy.

    • NONE of these actions will affect a Linked Personal Account, which is why we HIGHLY RECOMMEND users utilize the Linked Personal Account Tool rather than storing personal data in an Enterprise account.



    Duo Security

    [accordion openfirst=false scroll=true clicktoclose=true]

    LastPass supports multifactor authentication with Duo Security. It is a secure, two-factor authentication application offered for all leading smartphone platforms, including Android, iPhone, Blackberry, and Windows Phone. You can get Duo Security here:

    [accordion-item title="Set Up A New Application" id="h0"]

    1. In order to use Duo Security, a Duo account is required. Register for an account here:

    2. Login to your Duo account.

    3. In the left menu, choose Applications > Protect Application

    4. Search for LastPass in the list and click Protect this Application

    5. On the next page, you’ll find the following information: Integration key, Secret key, and API hostname. Note these values for later.

    6. Optionally set up additional settings such as Group policies and Username Normalization in the Duo Admin Console. Find all options here.


    [accordion-item title="Set Up DUO In LastPass Admin Console" id="h1"]

    Once you have finished setting up your new integration, then you will need to enter Duo Integration information in LastPass Admin Console.

    In Admin Console, click Advanced Options > Enterprise Options > Duo Security tab. Enter the required information here including the Value field and click Update.

    [caption id="attachment_48145" align="aligncenter" width="1024"]Set up duo via Admin Console Set up Duo via Admin Console[/caption]


    [accordion-item title="Enable Duo Security As End Users" id="h2"]

    Users will be prompted to enable Duo Security or select Duo Security as a multifactor authentication option when they log in to their LastPass accounts. Below is an example of the prompt to confirm Duo Security Username that users should see:


    Click Ok to proceed.  On the next page users will be prompted to enroll their devices:

    Enable Duo - Step 2- Enroll Device

    On the next page, click Start Setup button:



    You will then see another screen which will prompt you to choose which type of device you would like to enroll to use for two-factor authentication. Please note that LastPass currently only supports the enrolling of a single device:



    Select the type of device that you would like to enroll and then click the "Continue" button. You will then be given on-screen instructions on how to enroll each specific device. Once you have enrolled the device(s) that you would like to use for Duo authentication, you can then use it to authenticate you in the login process.


    [accordion-item title="Select Duo Push or SMS As End Users" id="h3"]

    When you finish enabling Duo Security as end users, you will be presented with the Duo Authentication Window after entering your login credentials to log in to LastPass next time.  This is when you can switch from Duo Push to authentication codes via SMS. On the window, click "Next SMS password starts with 3 (send more)" link to have the codes sent to your registered device.

    Duo - Select To Send SMS


    If you wish to switch back to Duo Push, please contact your Enterprise Admins to have them disable Duo Security for your account in Admin Console > Users tab first. Then delete your registered device in Duo Admin Panel > Devices so you can start over.

    [accordion-item title="Switching Devices" id="h4"]


    If you have switched phones or Duo tokens, follow the steps below to reset up your LastPass account with Duo:

    • Disable Duo authentication for your LastPass account.

    • Have the duo admin go to Duo Admin Panel > Users tab > click on your account and remove your phone number under Phones*.

    • Log into your LastPass account and re-enable Duo authentication. You will be prompted to enroll your device again.




    [accordion openfirst=true scroll=true clicktoclose=false]

    A YubiKey is a key-sized device that you can plug into your computer's USB slot to provide another layer of security when accessing your LastPass Account. YubiKeys are a secure, easy to use, two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.

    YubiKey support is a Premium and Enterprise feature, and the device must be purchased through for $25.

    Up to 5 YubiKeys can be associated with one LastPass account.


    [accordion-item title= "Adding Your YubiKey" id="h1"]

    Once you have purchased and received your YubiKey, you can enable the device and manage your preferences by launching your Account Settings and clicking on the 'Multifactor Options' tab > 'YubiKey' radio button:

    To add a new YubiKey to your LastPass account, enter the device in your USB port, click in the first empty YubiKey field, and lightly press your YubiKey on the grooved circle. You will need to enter your LastPass Master Password to save any updates you have made to your YubiKey settings.

    After the field is filled, you can specify your YubiKey preferences:

    YubiKey Authentication: Enable or disable your YubiKey multifactor authentication. When enabled, you will be prompted to enter the YubiKey data the next time you login to LastPass.

    Permit Mobile Device Access: Controls whether mobile devices that do not possess USB ports, such as a smartphone, will be allowed to bypass YubiKey multifactor authentication when enabled.

    Permit Offline Access: Controls whether access to your vault will be allowed when you are not connected to the Internet. Allowing offline access to your vault is slightly less secure since YubiKey OTPs can not be validated, and only the static portion of the key is validated.

    To begin using your YubiKey, be sure that the 'YubiKey Authentication' field is marked as 'Enabled'.

    To save changes to your YubiKey preferences, click 'Update' before exiting the Account Settings dialog.

    To disassociate a YubiKey device with your LastPass account, simply clear the entire input field of all characters and click 'Update'.


    [accordion-item title= "Logging In with YubiKey" id="h2"]

    Now that you have enabled your YubiKey device, the next time you login to your LastPass account, you will be prompted to enter your YubiKey code. Simply click your LastPass Icon to login as normal, enter your email and Master Password, then submit. However, you will now be asked by LastPass to press your YubiKey device to enter the code:

    If you would like to leave YubiKey authentication enabled but do not want to enter it every time you login to a particular device, simply check the trusted computer option before swiping your YubiKey.


    [accordion-item title= "Administrating YubiKey in Enterprise" id="h3"]

    You can require Yubikey for your users via the 'Require use of YubiKey' policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require use of YubiKey' from the dropdown menu:



    You can also restrict your users to only permit the use of a single YubiKey for their account via the "Only allow a single YubiKey per account" policy:


    [accordion-item title= "Using a VIP YubiKey with LastPass" id="h4"]

    The VIP enabled YubiKey ( has two configuration slots. When the VIP enabled YubiKey is shipped, it's first configuration slot is factory programmed for Symantec VIP credentials and the second configuration slot programmed with a standard Yubico OTP is dormant in the second identity slot and can be activated using the YubiKey Personalization Tool. The two configuration slots of the YubiKey work independently and each can be independently reconfigured into OTP or static password mode has two configuration slots.

    If you touch and hold the YubiKey button between 1-3 seconds before releasing, the first configuration slot will emit the password (based on slot 1 configuration). And if you touch and hold the YubiKey button about 4-5 seconds before releasing, the second configuration slot will emit the password (based on slot 2 configuration). In case if you happen to touch and hold it longer for more than 5 seconds, the touch button indicator will flash rapidly without emitting any password.

    As the second configuration slot of the YubiKey is left blank, you can program it to the YubiKey OTP mode, upload the AES Key to the online validation server and configure it to work with LastPass.

    To program the second slot to work with the online Yubico OTP validation server, please follow the steps below:

    1. First, download and install the latest Cross Platform Personalization Tool for Windows from the Yubico Website at: under the section "Cross platform personalization tools". There are a number of  different installers for various operating systems – pick the installer for your operating system.

    2. Once the Cross-Platform Personalization tool has been installed, insert your VIP YubiKey in a USB port on your computer and launch the YubiKey Personalization Tool.

    3. In the Cross-Platform Personalization Menu, open the "Settings" menu by clicking on the link “Update Settings” on the main page or the “Settings” option from the menu at the top.

    4. In the Settings menu, locate the Update Settings button in the lower right corner and click on it.

    5. The Update YubiKey Settings menu should be displayed. If this is not the case, confirm youhave a VIP YubiKey with a firmware version of 2.3.0 or above.

    6. Locate the section labelled Configuration Slot and select Configuration Slot 2

    7. Locate the checkbox labelled Dormant and ensure the box is not checked

    8. Locate the Configuration Protection section, and open the menu labelled “YubiKey(s)unprotected – Keep it that way”. From this menu, select the option “YubiKey(s) protected –Keep it that way”.

    9. This will activate the “Current Access Code” field in the Configuration Protection section. Enteryour VIP YubiKey’s current access code, which will be five 0s followed by the YubiKey’s serialnumber in Decimal format, as reported by the Personalization tool.For example:If your Serial Number is “1234567”, then your Current Access Code will be “00 00 01 23 45 67”

    10. Press the Button labelled “Update” to activate your VIP YubiKey’s second slot with the Yubico OTP configuration.

    Yubico also has a video that describes the steps required for uploading the AES Key. For more information, please visit the link below:


    [accordion-item title= "Video Tutorial for Using LastPass with YubiKey" id="h5"]

    [accordion-item title= "Video Tutorial for Using LastPass with YubiKey NEO" id="h6"]

    After you've registered the YubiKey with your LastPass account, ensure that mobile access is "disallowed" in your LastPass Icon > My LastPass Vault > Account Settings link > YubiKey tab.

    Now you can use the YubiKey NEO when logging in via the LastPass Android app or used as a normal YubiKey on your desktop.


    [accordion-item title= "YubiKey NEO with Windows Phone 8 App" id="h6"]

    The updated Windows Phone 8 app with Yubikey NEO support (for phones that have NFC) is now available in the Windows Phone store:

    Configuring the Yubikey NEO should be done the same way as for Android, shown above. You also have to set the "permit mobile device access" in your LastPass vault to "disallow" in order to enable prompting.


    A known issue is that when you touch the Yubikey NEO to the phone, the LastPass app will accept and verify the key, but the OS will open a dialog asking what to do with the URL, which you will have to ignore/cancel.  Hopefully Microsoft will fix this in a future release of the OS.




    LastPass Sesame

    LastPass Premium members can use an ordinary USB thumb drive as a second form of authentication when logging into their LastPass account. Having a physical second form of authentication will help further ensure that your account will remain safe because both your Master Password and your USB thumb drive are required to log in.

    [accordion openfirst=true scroll=true clicktoclose=true]
    [accordion-item title="Enabling Sesame" id="h0"]

    If you are already a Premium member, you can simply download Sesame onto your USB device and run the application.  You will see the empty Sesame dialog:

    sesame shoop 1

    On your first run, you will be prompted to activate the software by Adding your LastPass login to the user list.  Then, you will be sent an e-mail asking you to confirm the registry of Sesame.

    By default, the email link will expire after 10 minutes to protect your security. If you click on the link and it says 'Link Expired', please re-send yourself the activation link and try again.

    Once activated, Sesame will create secure One Time Passwords (OTP) that are subsequently required to login. You have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.

    Like all our multi-factor authentication options, you can elect to enable or disable Mobile and Offline Access within the settings for your particular username in Sesame:


    If you lose your USB device, you can disable Sesame authentication by logging in to LastPass and using the link on the bottom of the Sesame screen.

    Sesame is a cross platform application that is available for Windows, Mac and Linux.


    Note for Linux users

    The USB device is mounted noexec, which prevents running executables from the drive. To fix, remount the device with the exec flag, for example by "sudo mount -o remount,exec <device> <mountpoint>".


    [accordion-item title="Administering Sesame in Enterprise" id="h1"]

    You can require Sesame for your users via the 'Require LastPass Sesame' policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require LastPass Sesame' from the dropdown menu:



    RSA SecurID


    LastPass Enterprise supports RSA SecurID as a 2nd factor of authentication for user access to their LastPass Enterprise account. A second factor of authentication can protect your LastPass vault against replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.

    [accordion openfirst=true scroll=true clicktoclose=true]
    [accordion-item title="Setting up RSA SecurID with LastPass Enterprise" id="h0"]

    Once enabled, the user will be prompted first for his/her LastPass Master Username and Password, and then for his/her RSA SecurID passcode. As with all of our multi-factor options, users will have the option to ‘trust’ certain devices to eliminate the 2nd factor prompt – striking the perfect balance between security and convenience. If you prefer to disable the Trust option, this can be done using the configurable LastPass Security Policies.

    RSA Shot #1

    [accordion-item title="Agent Host Configuration" id="h1"]

    To facilitate communication between LastPass Enterprise and the RSA Authentication Manager / RSA SecurID Appliance, an agent host record must be added to the RSA Authentication Manager database. The agent host record identifies LastPass Enterprise and contains information about communication and encryption.  Set the Agent Type to “Standard Agent” when adding the authentication agent.

    Since LastPass will be communicating with RSA Authentication Manager via RADIUS, a RADIUS client that corresponds to the agent host record must be created in the RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console.

    The following information is required to create a RADIUS client:

    • Hostname

    • IP Addresses for network interfaces

    • RADIUS Secret

    Note: The RADIUS client’s hostname must resolve to the IP address specified.

    LastPass Enterprise employs a distributed architecture which encompasses many similarly configured servers.  As a result of this architecture, RSA Authentication Manager administrators will need to configure agent host records and/or RADIUS clients for each LastPass Enterprise server.  There are a few different methods for achieving this with varying amounts of administrative effort.  These options are:

    • Configure an agent host record and corresponding RADIUS client for each LastPass Enterprise server.

    • Configure an agent host record for each LastPass Enterprise server with a shared RADIUS client.

    • Configure a shared RADIUS client that does not use an agent host record. (Global change)

    Note: Refer to RSA Authentication Manager Administrators Guide for information on configuring shared RADIUS clients.

    [accordion-item title="Configuring RSA SecurID within the LastPass Admin Console" id="h2"]

    This section provides instructions for configuring LastPass Enterprise with RSA SecurID Authentication.  This document is not intended to suggest optimum installations or configurations.

    It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

    All LastPass Enterprise components must be installed and working prior to the integration.  Perform the necessary tests to confirm that this is true before proceeding.

    Configure LastPass Enterprise for RSA SecurID Authentication

    1. While logged into your LastPass Enterprise Admin Console, click on the Advanced Options link > Enterprise Options > RSA SecurID/RADIUS. You can also go directly to

    2. Enter the IP addresses of the RADIUS servers used by your RSA SecurID implementation, and enter the RADIUS shared secret as well.

    4. Click “Update” to save the values to your LastPass Enterprise account.

    5. Your users will now be able to enable RSA SecurID as a multifactor authentication option within Account Settings.


    [accordion-item title="End User Settings" id="h3"]

    Once the connection has been configured, your users can now enable RSA SecurID on their accounts by clicking on the LastPass Plug-in -> Preferences -> Account Settings -> Multifactor Options, and then selecting ‘RSA SecurID’. From this screen your employees can enable SecurID on their LastPass account.


    [accordion-item title="RSA SecurID Login Screens" id="h3"]

    Login screen:

    RSA Login Screen 1

    User-defined New PIN:

    RSA User Pin

    System-generated New PIN:

    RSA Sys Gen Pin

    Next Tokencode:

    RSA Nest TokenCode

    [accordion-item title="Enforcing the Use of RSA by Your Employees through LastPass Policies" id="h4"]

    With LastPass Enterprise you can leave the 2nd factor decision up to your end users, or you can mandate its use with our configurable Security Policies. To access these policies, click on the LastPass Plug-in, select ‘Admin Console’ - > Settings -> Policies. Here are some policies that you might consider implementing relative to RSA SecurID:

    Require use of RSA SecurID

    Require use of RSA SecurID as a second factor of authentication when logging into LastPass. Click the 'enabled' box to enable this policy. RSA SecurID must be configured by the user.

    Require use of any multifactor option

    Require use of any multifactor option as a second factor of authentication when logging into LastPass. Click the 'enabled' box to enable this policy. YubiKey, LastPass Sesame, Google Authenticator, Toopher, Duo Security, Transakt, Salesforce#, and RSA SecurID are the currently available options.

    Restrict Multifactor Trust

    Restrict computers that can be trusted by IP address (learn more about 'trusted computers' here: You can enable this policy to allow users to skip second factor authentication from trusted locations (such as the office) but still require it from remote locations.

    Any of the aforementioned policies can be enabled across all users in the account, or based on some sub-set thereof.


    [accordion-item title="Certification Test Checklist for RSA Authentication Manager" id="h5"]

    Certification Test Checklist for RSA Authentication Manager

    RSA Cert Environment

    RSA SecurID Mandatory Functionality

    RSA SecurID Auth Mandatory Functionality


    [accordion openfirst=true scroll=true clicktoclose=false]
    ** Please note that due to the acquisition of Toopher by Salesforce, new users are no longer being accepted to use this feature. Current users can continue to use this feature as long as Salesforce continues to support it.


    LastPass supports multifactor authentication with Toopher. It is a secure, two-factor authentication application offered for all leading smartphone platforms, including Android, iPhone, and Windows Phone. You can get Toopher here:


    [accordion-item title= "Setting Up LastPass with Toopher" id="h0"]


    To install Toopher with LastPass please do the following:

    1. Download the Toopher App to your smartphone ( iOS – Apple App Store or for Android from the Google Play Store).

    2. Login to your LastPass Vault.

    3. Select  "Settings" (left sidebar).

    4. Then select "Multifactor Options" (fourth tab from the left on top).

    5. Here is where you will be able to switch over to Toopher by selecting the "Toopher" radio button at the top of the page.

    6. Once you have selected Toopher, you will be taken to a different screen. On the new screen you will switch "Toopher Authentication" from "Disabled" to "Enabled", at this time you will be prompted to enter a  2-word “pairing phrase”.  This paring phrase will be generated by the Toopher app on your mobile device (see next step).

    7. Open the Toopher App on your mobile device and select the "+" button in the top-right of the app screen. This will generate a 2-word pairing phrase.  Back on the computer browser; Enter this 2 word pairing phrase into the browser field and then select enter.

    You will receive a push notification on your phone that will prompt you to select allow or deny.  Select allow, pairing is complete and you have now enabled Toopher with Last Pass.

    Now if you choose, the Toopher - LastPass, two factor authentication can be automated. That is if you are on the same computer, in the same location logging into LastPass (the same site) you can tell your mobile device to automatically log you in next time.  Simply slide  the “automate when near here” slider to the right. Now Toopher will automatically enable two factor authentication for you. This feature can be turned on or off when ever you wish.


    [accordion-item title= "Administrating Toopher in Enterprise" id="h1"]


    You can require access to Toopher for your users via the "Require use of Toopher" policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require use of Toopher' from the dropdown menu:



    Google Authenticator

    [accordion openfirst=true scroll=true clicktoclose=true]

    Google Authenticator is a multifactor app for mobile devices. It generates timed codes used during the 2-step verification process. To use Google Authenticator, install the Google Authenticator application on your mobile device.

    [accordion-item title="Installing Google Authenticator" id="h1"]

    If you would like to use Google Authenticator, please first ensure you're using the latest LastPass browser extensions and mobile clients everywhere.  You will also need a supported mobile device, to run the Google Authenticator application.

    Next, install the Google Authenticator application on your mobile device.  Google officially supports Android, iOS (iPhone, iPod Touch, or iPad), and BlackBerry devices.  You can follow the instructions here to install Google Authenticator onto these devices.

    For other devices:

    If you would like to run Google Authenticator on an Android device that doesn't have access to Google Play Store, you can install from here.

    If you would like to run Google Authenticator on your Windows Phone, Jamie Garside has developed Authenticator.

    If you would like to run Google Authenticator on your webOS device, Greg Stoll has developed GAuth.

    If you would like to run Google Authenticator on your Symbian device, or any device that supports Java ME, Rafael Beck has developed lwuitgauthj2me.  Alternatively, Rodrigo A. Diaz Leven has developed gauthj2me.

    [accordion-item title="Setting up Google Authenticator" id="h1"]

    Once you have the Google Authenticator application running on your mobile device, go to  Follow the instructions there to finish setting up Google Authenticator.

    You will be prompted to use a Bar Code scanning app (Androids,  iPhones and supported devices with cameras) to scan your unique bar code or you can manually enter the Google Authentication Key found on that setup page.


    After your LastPass account is registered within the Google Authenticator app, the next time you login to LastPass on an untrusted device, you will receive the Google Authentication dialog:

    Go to your Google Authenticator App and input the current authentication code you see in the app into this dialog.  If the code expires before you have a chance to authenticate, simply use the next code that appears in the app.


    [accordion-item title="Logging in Offline when Google Authenticator is Enabled" id="h1"]

    As with our other multifactor authentication options, you can choose whether to allow LastPass to store an encrypted vault locally so you can log in without an internet connection. If you enable offline access, you will be able to login without using your Google Authenticator code in case of a connectivity issue.

    With some internet configurations (typically wireless connections and waking from sleep), LastPass may log in offline first before establishing connectivity to your online vault and prompting for your authenticator code.  This may cause LastPass to AutoFill any login credentials you have saved in LastPass for the current page you are on.   If you wish to disable offline access, you may do so in your Account Settings.


    [accordion-item title="Administrating Google Authenticator in Enterprise" id="h2"]

    You can require Google Authenticator for your users via the 'Require use of Google Authenticator' policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require use of Google Authenticator' from the dropdown menu:


    Full List of Policies

    Multifactor Authentication

    LastPass for Applications

    [accordion openfirst=false scroll=true clicktoclose=false]

    LastPass for Applications is included by default with LastPass Enterprise.  This program allows you to store your application logins just like the browser plugin allows you to save your website login credentials. Benefits:

    • Fills in your application login data for you; allows you to stop using the 'Remember Password' function, which can often times be saved insecurely

    • When run as a tray application, LastPass for Applications has some preferences that are now possible, like logout on lock or screensaver

    • Can launch your applications

    Some applications will require a one-time training.  Applications, once trained, are trained for everyone in the enterprise.

    Click here for more information on LastPass for Applications.


    Site Map



    [sitemap_pages exclude="20015"]