none
Lastpass for Azure Active Directory configuration

    Question

  • I have an existing Azure Active directory that is being synced from our local active directory and have ADFS setup.   We leverage lastpass very heavily for secure password storage.  I want to access lastpass using local domain accounts and groups via Azure AD.  I've installed the lastpass Azure AD addon from the market place (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.lastpass …) but I have no idea what to do next.  Lastpass support directed me to contact Microsoft.

    Is there any published documentation on how to accomplish this?

    thanks!

    Friday, March 17, 2017 7:49 PM

All replies

  • Is your goal to do SSO with last pass, or to SSO _to_ lastpass with accounts in your Azure AD tenant?  

    If you just want to sign in to LastPass with accounts in Azure AD, that is what integrating it with Azure AD is all about.  

    If you want to somehow use LastPass to perform SSO to Azure AD integrated applications natively, that is not supported.  We have our own password SSO technologies that you can leverage for that.  https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps#password-single-sign-on 

    Let me know if that helps!

    Adam.


    Adam Steenwyk | Senior Program Manager | asteen@microsoft.com

    Friday, March 17, 2017 8:56 PM
  • Hi Adam,

    My goal is to SSO to lastpass using accounts and hopefully groups in my Azure AD tenant.  Still stumped on how to accomplish this though.

    darrin

    Monday, March 20, 2017 3:27 PM
  • Hey Darrin!

    Cool!  I think the below might help you a bit.  It starts from http://portal.azure.com -> Enterprise Applications, where you should already see LastPass in your list of "All Applications".  If not, there are steps on how to add it below.  Once you have added and configured it, the last step is to go to myapps.microsoft.com to a user to whom you have assigned the app, where they will be able to optionally provide their username and password to the app, or use one that you (as the admin) provided for them.

    Hope this helps!

    Adam.

    How to configure password single sign-on for an application

    To add an application from the Azure AD Gallery, follow the steps below:

    1. Open the Azure Portal and sign in as a Global Administrator or Co-admin

    2. Open the Azure Active Directory Extension by clicking More services at the bottom of the main left hand navigation menu.

    3. Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

    4. Click on Enterprise Applications from the Azure Active Directory left hand navigation menu.

    5. Click on the Add button at the top-right corner on the Enterprise Applications blade

    6. Search for LastPass .

    7. Select Add.

    After a short period, you will be able to see the application’s configuration blade.

    Configure the application for password single sign-on

    To configure single sign-on for an application, follow the steps below:

    1. Open the Azure Portal and sign in as a Global Administrator or Co-admin.

    2. Open the Azure Active Directory Extension by clicking More services at the bottom of the main left hand navigation menu.

    3. Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

    4. Click on Enterprise Applications from the Azure Active Directory left hand navigation menu.

    5. Click on All Applications to view a list of all your applications.

      1. If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
    6. Select the application you want to configure single sign-on

    7. Once the application loads, click on the Single sign-on from the application’s left hand navigation menu.

    8. Select the mode Password-based Sign-on if it is not already select.

    9. Assign users to the application.

    10. Additionally, you can also provide credentials on behalf of the user by selecting the rows of the users and clicking on Update Credentials and entering the username and password on behalf of the users. Otherwise, users will be prompted to enter the credentials themselves upon launch.

    Assign users to the application

    To assign one or more users to an application directly, follow the steps below:

    1. Open the Azure Portal and sign in as a Global Administrator.

    2. Open the Azure Active Directory Extension by clicking More services at the bottom of the main left hand navigation menu.

    3. Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

    4. Click on Enterprise Applications from the Azure Active Directory left hand navigation menu.

    5. Click on All Applications to view a list of all your applications.

      1. If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
    6. Select the application you want to assign a user to from the list.

    7. Once the application loads, click on Users and Groups from the application’s left hand navigation menu.

    8. Click the Add button on top of the Users and Groups list to open the Add Assignment blade.

    9. Click on the Users and groups selector from the Add Assignment blade.

    10. Type in the full name or email address of the user you are interested in assigning into the Search by name or email address search box.

    11. Hover over the user in the list to reveal a checkbox. Click the checkbox next to the user’s profile photo or logo to add your user to the Selected list.

    12. Optional: If you would like to add more than one user, type in another full name or email address into the Search by name or email address search box, and click the checkbox to add this user to the Selected list.

    13. When you are finished selecting users, click on the Select button to add them to the list of users and groups to be assigned to the application.

    14. Optional: Click on the Select Role selector in the Add Assignment blade to select a role to assign to the users you have selected.

    15. Click the Assign button to assign the application to the selected users.

    After a short period, the users you have selected will be able to launch these applications in the Access Panel.

    How to find the app in your access panel and Install the Access Panel Browser extension

    To install the Access Panel Browser extension, follow the steps below:

    1. Open the Access Panel in one of the supported browsers and sign in as a user in your Azure AD.

    2. Click on a password-SSO application in the Access Panel.

    3. In the prompt asking to install the software, select Install Now.

    4. Based on your browser you will be directed to the download link. Add the extension to your browser.

    5. If your browser asks, select to either Enable or Allow the extension.

    6. Once installed, restart your browser session.

    7. Sign in into the Access Panel and see if you can launch your password-SSO applications

    You may also download the extension for Chrome and Firefox from the direct links below:


    Troubleshooting the Access Panel

    Follow the Troubleshooting the Access Panel Extension for Internet Explorer guide for access a diagnostics tool and step by step instructions on configuring the extension for IE.

    If troubleshooting does not the resolve the issue. Please open a support ticket with the following information if available:

    • Correlation error ID

    • UPN (user email address)

    • TenantID

    • Browser type

    • Time zone and time/timeframe during error occurs

    • Fiddler traces


    Adam Steenwyk | Senior Program Manager | asteen@microsoft.com

    Monday, March 20, 2017 5:04 PM
  • Hey Adam,

    Thank you for that info! 

    I tried the exact same thing and followed your directions. When I open Lastpass from my applications, it takes me to  account.activedirectory.windowsazure.com/applications/redirecttoapplication.aspx.......... and then it just hangs. I contacted LastPass and they told me that they don't provide any support for this, and that this is something that Microsoft developed. I'm not sure I understand that. I can still login to my LastPass console using my original LastPass credentials and I see no setting in there to exchange any certs or tokens, so I'm really not understanding how the connection between my specific LastPass account and Azure AD is made. 

    Any insight would be very helpful. 

    Thank you!

    Friday, June 02, 2017 12:03 AM
  • Hey Darrin, 

    Did you get this to work ?

    --Mike

    Friday, June 02, 2017 12:45 AM
  • Mike and I are discussing offline, but for other folks, the instructions below might help.

    Please also see our new troubleshooting documentation, available here, that can help with issues like these (that's where these links come from): http://aka.ms/troubleshoot-apps 

    You can also get to this troubleshooting guidance from aad.portal.azure.com by going to Enterprise Apps -> Troubleshoot nav item on the bottom of the left hand side of the screen. It's the same content as the link above

    Can you please try the steps in this troubleshooting article?  https://docs.microsoft.com/en-us/azure/active-directory/application-config-sso-problem-configure-password-sso-gallery?/?WT.mc_id=DMC_AAD_Manage_Apps_Troubleshooting_Nav

    If those don’t work – try the steps here, and try the “manual capture” feature - https://docs.microsoft.com/en-us/azure/active-directory/application-config-sso-problem-configure-password-sso-non-gallery?/?WT.mc_id=DMC_AAD_Manage_Apps_Troubleshooting_Nav

    Specifically, this step might be useful.

    If the manual capture process seems to hang, or the sign in page doesn’t do anything (case 3 above), try the manual capture process again. But, this time after completing the process, press the F12 button to open your browser’s developer console. Once there, open the console and type window.location=”<enter the sign in url you specified when configuring the app>” and then press Enter. This force a page redirect which end the capture process and store the fields that have been captured.


    Adam Steenwyk | Senior Program Manager | asteen@microsoft.com

    Friday, June 02, 2017 3:05 PM