LastPass User Management Guide

• Model type: role-based
• Description: LastPass uses a fixed set of admin roles (Super Admin, Admin, Help Desk Admin) combined with group-scoped admin delegation on Business plans. Policies are applied at the org or group level to control user behavior (e.g., MFA requirements, password rules). There are no fully custom roles with arbitrary permission combinations.
• Custom roles: No
• Custom roles plan: Not documented
• Granularity: Role-level granularity for admin functions; policy-level granularity for end-user behavior controls. Admin scope can be restricted to specific groups on Business plan.

1. Log in to the Admin Console at https://admin.lastpass.com.
2. Navigate to Users in the left-hand menu.
3. Click 'Invite Users' (or 'Add Users').
4. Enter the user's email address in the invitation field.
5. Optionally assign the user to one or more Groups.
6. Click 'Send Invitation'.
7. The user receives an email invitation and must click the link to activate their account and set up their master password (or use federated login if configured).

Required fields: Email address

Watch out for:

• The seat is consumed as soon as the invitation is sent, not when the user accepts it, depending on plan billing terms - verify with LastPass billing documentation for your specific plan.
• Users invited via email must create a LastPass master password unless federated login (SSO) is configured; without federated login, LastPass cannot recover a forgotten master password.
• If the user already has a personal LastPass account with the same email, they will be prompted to link or convert it to the business account.
• Invitation emails can land in spam; admins may need to whitelist lastpass.com sending domains.
• New users appear in 'Pending' status until they accept the invitation and complete account setup.

• Can delete users: Yes
• Delete/deactivate behavior: LastPass supports both deactivation and permanent deletion. Deactivating a user suspends their access to the LastPass account and shared folders but retains their user record and vault data in the admin view. Deleting a user permanently removes them from the organization. Admins can also choose to 'Remove' a user, which removes them from the company account; the user's personal vault data may be retained in a personal account if they choose to convert it, or it is deleted if they do not.

1. Log in to the Admin Console at https://admin.lastpass.com.
2. Navigate to Users.
3. Locate the user by searching their name or email.
4. Click the user's name or the action menu (three dots) next to their entry.
5. Select 'Deactivate User' to suspend access without deleting the account, OR select 'Delete User' / 'Remove User' to permanently remove them.
6. Confirm the action in the dialog prompt.
7. If deleting, choose whether to transfer shared folder ownership or remove the user's access to shared folders.

Watch out for:

• Deactivation does not immediately invalidate active browser extension sessions; the user's session may persist until the extension checks in with the server or the session token expires.
• If federated login is not configured, LastPass cannot force-logout a user who has the vault cached locally in the browser extension.
• Personal vault data is encrypted with the user's master password (zero-knowledge); admins cannot export or recover it after deletion unless Super Admin re-encryption keys were set up in advance.
• Shared folder ownership must be manually transferred before deleting a user who owns shared folders, or those folders may become inaccessible.
• Deprovisioning via SCIM/IdP deactivates the user in LastPass but does not automatically delete them; a separate deletion step may be required in the Admin Console.
• Users removed from the organization may retain access to a personal LastPass account if they convert their vault - this personal account is outside admin control.

• Where to check usage: Admin Console (https://admin.lastpass.com) > Dashboard shows total licensed seats, active users, and pending invitations. Detailed usage visible under Users > filter by status (Active, Pending, Deactivated).
• How to identify unused seats: Filter the Users list by 'Pending' status to identify users who have been invited but never activated their account. Filter by 'Last Login' date (if available in reporting) to identify inactive active users. Deactivated users do not consume a seat.
• Billing notes: Business plan is billed per user per month. Seats are added as users are invited; removing or deactivating users frees seats. Annual billing is available at a discount. Enterprise plan uses a custom flat-fee model (up to 25% discount) negotiated directly with LastPass. Add-ons (Advanced SSO for unlimited SSO apps, Advanced MFA for all endpoints) are priced separately on top of the base Business plan seat cost. A 30-day free trial is available for Business.

Seats are consumed the moment an invitation is sent, not when the user accepts it-pending invitations still count against your license headroom. Shared folder ownership is not automatically transferred when a user is removed; folders owned by a departing user must be manually reassigned or they risk becoming inaccessible.

SCIM deprovisioning only disables accounts, not deletes them, so a manual cleanup step in the Admin Console is always required to fully close the loop.

Sysadmin communities flag two recurring friction points with LastPass offboarding: session persistence after deactivation and shared folder cleanup. Deactivating a user does not immediately kill an active browser extension session-the vault can remain locally accessible until the extension checks back in.

Shared folder management is widely described as tedious when a departing user owns multiple folders, since each must be transferred individually. The 2022 breach continues to surface in community threads, with admins questioning residual vault data exposure even after account removal.

Common complaints:

• Deprovisioning a user does not immediately revoke active browser extension sessions; the vault may remain accessible locally until the session expires.
• Shared folder permission management is considered complex, especially when users own multiple shared folders and must be manually transferred before deletion.
• Ongoing security concerns following the 2022 data breach, with users questioning the safety of stored vault data even after admin-side removal.
• No granular custom roles - admins cannot create a role with a specific subset of permissions beyond the three fixed admin roles.
• CSV import is limited in flexibility; group assignments via CSV are not always straightforward.
• SCIM deprovisioning only deactivates users, not deletes them, requiring a manual cleanup step in the Admin Console.
• Users who convert their business vault to a personal account after removal remain outside admin control, raising offboarding security concerns.
• Pending users (invited but not yet activated) still consume a seat on some billing configurations, leading to unexpected seat usage.

LastPass Business is a reasonable fit for teams already invested in a supported IdP (Okta, Entra ID, Google Workspace, OneLogin) who want SCIM-driven provisioning without building a custom integration. The fixed role model-Super Admin, Admin, Help Desk Admin-covers most org structures, though teams needing granular, permission-scoped roles will hit a ceiling.

Teams plan users should note that admin scope cannot be restricted to specific groups; that capability is Business-only.

Bottom line

LastPass Business handles every app's credential and SSO access from one console, but manual offboarding carries real risk if shared folder ownership and session expiry are not actively managed.

The fixed admin role set and the SCIM-only-disables behavior are the two structural constraints most likely to create operational gaps at scale.

Teams with a connected IdP will get the most value; those managing access manually should build explicit transfer and cleanup steps into every offboarding checklist.