We use Lastpass Enterprise, using federated Azure login. All works fine on PC's. Conditional Access in Azure is setup to ensure that users can only log into the SSO resources ( 250+) from InTune managed devices. It requires that authentication requests from from Chrome or Edge.
Lastpass has its own browser and does not send the authentication request via Edge or Chrome so therefore its getting blocked and users cannot log in.
LastPass say that they are aware of this. its not a fault with their product its more of a change they need to make to enable their product to work with AAD Conditional Access rules.
Has anyone found a way round this?
I apologize for the frustration, I know you have been dealing with this issue for some time. I have checked in with the team and they are still working on this issue. We are working with a few customers directly and testing a beta, but it is a manual process for now so it is not open for everyone to try. We should have more news in the new year.
Hey LastPass support team, was there anything changed on your end that is allowing this to work now via conditional access?
My colleague and I decided to try logging in this morning and it works, we did not run into any issues. (Android Devices, have not tried iPhone yet)
This is such a simple fix that many other cloud providers have implemented. Let's get two things straight, LastPass engineers are not "hard at work", they are horrendous. They close cases without even attempting to resolve. It's no surprise 2 years later they have not addressed the issue.
To fix the issue, they just have to enable "native browser" authentication. The LastPass app is using it's own browser to do the authentication. That browser does not pass details about the device to conditional access policies. Native browsers on an iOS device such as Safari, and Edge, do. So if you have a Conditional Access policy based on device compliance, LastPass will be blocked. LastPass has to redirect the authentication to the native browser; SIMPLE. They need to do this for GotoAssist as well.