LastPass Enterprise

LastPass Enterprise is a big name in the password vault arena, so it only makes sense it would have an identity management (IDM) solution for enterprises. LastPass Enterprise (which begins at $48 per user per year, double the starting price from when we first reviewed it two years ago) compares well on paper to other IDM services, offering features such as multifactor authentication (MFA) and multiple security policies. Unfortunately, even with the improvements the company has made within the last two years, LastPass Enterprise is still rough around the edges. It supports automated user provisioning for only a handful of Software-as-a-Service (SaaS) applications, offering minimal flexibility when synchronizing with your Active Directory (AD) user accounts, and overall, is substandard in their management tools and interface elements. All around, other than small businesses looking for a quick security upgrade, it's difficult to recommend LastPass Enterprise over our Editors' Choice winners in this category, Microsoft Azure Active Directory ($0.50 at Microsoft Azure) (AD), Okta Identity Management (2.00 Per User Per Month at Okta) , and most recently, Centrify .

Setup and Configuration

Since our last review, we found that LastPass' AD sync client is much improved. Though at the time of this writing the software agent holds only a beta designation, LastPass is encouraging users to begin using it in production immediately. That's mainly because it now offers things like proper handling of nested group memberships, the lack of which was a serious drawback in the previous version. Like much of its competition, including all our Editors' Choice winners as well as Bitium (2.00 Per User Per Month at Bitium) , LastPass uses the sync client to import users and security groups into your LastPass Enterprise account. Installation of the sync client is fairly cut-and-dried, and once that's completed, you can begin configuring the Active Directory.

Another option LastPass Enterprise offers as an alternative to their AD sync client is an installation of their standard client software, configured to integrate with the normal Windows log-on process. In this case, individual computers will communicate with your LastPass Enterprise account to perform account creations when a user logs on to their computer. The clear downside to this method is that security groups aren't synchronized up to LastPass Enterprise, requiring manual group management within the service. While this method isn't optimal, it does offer an alternative to an AD-based agent and is a unique offering in the IDaaS space.

Directory Integration

The AD sync client offers a number of configuration options including the ability to target a domain controller from another host. It also includes directory options such as the base Distinguished Name (DN) [effectively the path to a Lightweight Directory Access Protocol (LDAP) object] to use as well as several policy type options such as how to handle disabled accounts or group membership changes. LastPass Enterprise synchronizes both users and security groups from AD, allowing for application assignments and security policies to be applied at either level. From an admin perspective, you do have some control over what happens when users are added to synchronized groups (or removed). Options include sending the user an invite or simply enabling their account, or in the case of removal, simply suspending or fully deleting the LastPass account.

Overall, LastPass Enterprise doesn't offer the same level of sophistication as the other competitors I reviewed in terms of managing what attributes are synchronized from your existing directory, and that hasn't changed in the two years since I first reviewed the product. The AD sync client now offers the ability to enable custom attributes, but it involves providing a comma-separated list of values, and doesn't offer a graphical way of selecting which attributes you want to synchronize. There's also no way to view which attributes are already selected. LastPass Enterprise is going to need to step things up in their AD connectivity options if they want to be a serious player in this arena.

A lack of features that meet the needs of large businesses will continue to be a theme throughout this review. For example, large businesses sometimes have multiple Active Directory domains, or even other directory types. Only a few of the IDMs we've reviewed handle this well, most notably Okta and Optimal IdM (25,000.00 Per Month at Optimal IdM) , though most at least offer the ability to connect to multiple identity sources simultaneously. Another limitation for big organizations is that LastPass Enterprise doesn't support any consumer identity sources, like Facebook, Google, or LinkedIn. Consumer IDM is typically used to provide easy access to customer-facing applications because it lets users leverage their existing social media account credentials when authenticating to your app or service. In both cases these are shortcomings that will only be felt by companies with specific needs, but they are features that heavyweights in the category make a point of handling well.

Automated user provisioning in SaaS applications is supported in LastPass Enterprise but the number of supported services tops out at ten, which is anemic compared to the number found in Editors' Choice winner Okta Identity Management (2.00 Per User Per Month at Okta) . You'll find support for some popular cloud applications, including SalesForce, Google G Suite, Jira Service Desk (Visit Site at JIRA Service Desk) , and Zendesk (Free Trial at Zendesk) , but strangely, small business staples Office 365 and DropBox, are notably absent. For companies intending to roll out single sign-on (SSO) in order to streamline provisioning and security of SaaS apps throughout their enterprise, this lack of direct provisioning support could be a deal breaker.

Single Sign-On

Easily one of the biggest areas of improvement since our last go-round with LastPass Enterprise is the SSO portal. In our previous review we noted how the tree view that basically comprised the SSO portal was clunky and not at all intuitive for users. Now the portal has become a mirror of the one in the LastPass consumer version, which is clean and efficient. That's not to say that the portal is fully on par with the heavyweights, however. For one, there are some features missing, like customized branding, but in our opinion that's a low priority compared to security and usability of the service.

LastPass offers a number of customer-facing software tools in addition to the browser-based SSO portal. Browser plugins are the most obvious, providing prompts to use or add saved credentials. LastPass also offers integration with the Windows desktop, including the ability to authenticate into applications such as a VPN client or a remote access session. Enterprise administrators have the ability to customize an installer that can be used to push the appropriate software to client workstations using a number of different methods.

Assigning apps to users is similar to what you'll find in other identity management systems. You'll need to configure the SAML connection to a SaaS application, typically in LastPass Enterprise and then on the application or service side. That involves defining which groups should have access to the service. Additionally, there's a menu item under Advanced Options that allows you to push sites to users and those sites will then populate the user's LastPass vault. Site pushes can be configured as persistent, which results in new group members automatically receiving the app assignment.

One additional capability that LastPass offers in its consumer-oriented service that's now also available in LastPass Enterprise is shared folders. Shared folders operate differently than simply pushing sites to users. For example, any user can create a shared folder, and folders can be shared out to individual users or to an AD group. New group members will also gain access to the shared folder when they're added to the group. Just as shared folders can be created by any user, they can also be managed or administered by any user. Several permission levels can be assigned in order to regulate who can add items to a folder, or who can manage permissions for other users. This is an ideal solution for delegated administration of non-critical apps that don't require the same level of security or control at an enterprise level.

Two strengths that LastPass Enterprise holds over the majority of the competition involve security. Multifactor authentication (MFA) is a key feature of the SSO space but is typically only offered at higher-priced tiers in competing products. Additionally, LastPass Enterprise supports a wide range of multifactor providers including Duo Security, Google Authenticator, LastPass Sesame, RSA SecurID, Toopher, YubiKey, and several more. One of the newest additions is LastPass Authenticator, which has the additional benefit of sending push notifications to your mobile device, which then ask you to confirm the authentication. Perhaps the best part of the MFA options is that administrators have lots of flexibility in assigning it. They can require MFA across the organization or to a specific set of users or simply allow users to enable MFA if they want the extra protection.

The second big strength LastPass Enterprise has is a vast array of security profiles that can be applied to individual users or to groups. Security policies can manage everything from multifactor requirements, blocking use from TOR exit nodes or other IP address ranges, and password complexity requirements. Individual policies typically consist of a check box or a text field as well as the option to limit the scope of the policy to specific users or groups. I wouldn't complain if the interface used to manage these policies was revamped a bit, but the amount of control you can get over authentication using these policies is very good compared to LastPass' competition, second only to options like Azure AD's ability to offer machine learning (ML) functionality.

Another advantage LastPass Enterprise offers to users is a personal password vault. While other IDaaS options allow users to store account information for personal accounts in their SSO dashboard, LastPass Enterprise is the only contender that is competitive in the personal password vault arena. Existing LastPass Enterprise users can even link up their personal LastPass account with their corporate vault.

Weak Reporting

The weakest aspect of LastPass Enterprise may be its reporting tool. Little more than an event log, the LastPass Enterprise reporting function allows you to search and sort events in order to find a specific entry or you can export the list to Excel for a more thorough analysis. LastPass also exposes their reporting data through a REST application programming interface (REST API).

One redeeming quality that LastPass Enterprise has added since our last review is its Splunk integration. This feature uses an HTTP event collector in the Splunk Cloud to interface with your LastPass Enterprise instance, extracting events and incorporating them into your corporate logging solution. You can go a little more low-tech by simply configuring administrative email notifications, which is doable for over 15 event types. Or you can manage notification limits (how many emails are sent over a period of time) or simply view upcoming and past notifications.

LastPass Enterprise subscriptions are annual rather than monthly, and start at $48 per user for 100 users or less. Corporations with more than 100 users receive a discount of $8 per user (down to $40 per year), and those with more than 1500 users receive an additional $10 per user off per year ($30). LastPass also offers site licensing for enterprise customers with a large number of users, a solution that lets you pay a flat annual fee and also gets you custom levels of security.

Overall, LastPass Enterprise is still a bit disappointing in our latest review when compared to its competition, and that's due to several issues. First is its very limited support for automated user provisioning, which we feel is a critical feature for IDaaS solutions. Additionally, it still lacks key features for AD synchronization, including the inability to source from multiple directories, which is a key shortfall. Still, many of our issues with LastPass Enterprise as a platform are generally more of an issue for larger businesses, meaning small businesses might be just fine using LastPass Enterprise as their IDM of choice. But be sure to evaluate it carefully and make sure it's right for your organization before purchasing.

Best Identity Management Picks

• More Identity Management Reviews
• More from LastPass