Home / Cyber Security / Password Managers / How to Roll Out a Password Manager Across Your Business: Step-by-Step Guide

How to Roll Out a Password Manager Across Your Business: Step-by-Step Guide

Table of Contents

1. Phase 1: Planning (Before You Buy Anything)
2. Audit What You Have
3. Define Your Scope
4. Choose Your Product
5. Get Leadership Buy-In
6. Phase 2: Admin Setup
7. Create the Admin Account and Configure Organisation Settings
8. Set the Master Password Policy
9. Configure SSO If Applicable
10. Enable MFA as a Requirement
11. Set Up Emergency Access and Account Recovery
12. Create the Vault Structure
13. Phase 3: User Provisioning
14. SCIM Auto-Provisioning
15. Manual Invite Flow
16. Onboarding Communication
17. Phase 4: Migration
18. Importing Individual Passwords
19. Shared Passwords
20. Service Accounts and Admin Credentials
21. Phase 5: Training and Adoption
22. Run a Short Walkthrough Session
23. Set a Clear Migration Deadline
24. Use the Security Dashboard
25. Measure Adoption
26. Phase 6: Ongoing Management
27. Quarterly Access Review
28. Offboarding Procedure
29. Annual Policy Review
30. ISO 27001 Compliance Evidence
31. Summary: Your Six-Phase Checklist

Rolling out a password manager to your whole business sounds straightforward — until you realise it involves changing habits, migrating years of sprawling credentials, and getting buy-in from people who don’t see why their current system (a Post-it note on the monitor) is a problem. Done properly, a business-wide rollout takes four to six weeks. Done badly, staff ignore it, the admin gives up, and you’re back to shared spreadsheets within a month. This guide walks you through every phase in the order that actually works.

Phase 1: Planning (Before You Buy Anything)

The biggest mistake businesses make is purchasing licences before they understand the problem they’re solving. Spend a week on planning and the rest of the rollout becomes significantly easier.

Audit What You Have

Before you can migrate anything, you need to know what exists. Walk through the following sources of credentials in your business:

  • Browser-saved passwords — Chrome and Edge both export these as a CSV. Ask a sample of staff to check how many passwords their browser has saved. The number is usually alarming.
  • Shared spreadsheets — Check SharePoint, Google Drive, and any shared drives for files named “passwords”, “logins”, “credentials”, or similar. These need to be found and deleted once migration is complete.
  • Sticky notes, notebooks, whiteboard photos — Physical credentials are common in SMBs. They won’t survive a fire, a burglary, or a nosy visitor.
  • Shared email accounts — Many teams share a generic address (accounts@, info@, support@) where everyone knows the password. These need to go into a shared vault.
  • Previous or existing password managers — Some staff may already be using personal LastPass free accounts or similar. These need to be consolidated.

Define Your Scope

Decide upfront who is in scope for phase one. Common approaches:

  • All staff from day one — Best for smaller businesses under 30 people. Simpler to manage, fewer exceptions.
  • IT and privileged accounts first — Better for larger organisations. Secure the highest-risk credentials before rolling out to general staff.
  • Department by department — Useful if you have distinct teams with very different workflows (e.g., a developer team alongside a sales team).

Document your scope decision. You will need it when you write your access control policy later.

Choose Your Product

For business use, the main contenders are LastPass Business, 1Password Business, and Bitwarden Teams. Each has meaningful differences for an IT administrator. See our best password manager for business UK 2026 comparison for a full breakdown. In brief:

  • LastPass Business — mature admin console, good SCIM provisioning, broad SSO support. Has had notable security incidents; review carefully if you handle sensitive data. Full details: LastPass Business review 2026.
  • 1Password Business — strong security architecture (Secret Key + master password), excellent admin reporting, Travel Mode for team members crossing borders. Full details: 1Password Business review 2026.
  • Bitwarden Teams — open source, self-hostable, lowest cost per seat. Smaller admin feature set but a solid choice for budget-conscious businesses or those with technical resource to manage self-hosting.

Get Leadership Buy-In

This is not optional. A password manager rollout is a culture change, and it will fail without visible support from senior leadership. Before you send a single invite, brief your MD, IT director, or equivalent. Explain:

  • The specific risk you’re mitigating (credential theft is the leading cause of data breaches in SMBs)
  • The cost of the tool versus the cost of a breach or ransomware incident
  • That you need them to visibly use the tool themselves, not just endorse it in an email

If leadership asks why now, point them to your cyber insurance renewal or your ISO 27001 assessment — either provides a compelling business case.

Phase 2: Admin Setup

Once you have chosen your product and purchased licences, configure the admin environment before any user sees it. A well-configured admin console makes every subsequent step easier and gives you audit evidence from day one.

Create the Admin Account and Configure Organisation Settings

Use a dedicated admin email address that is tied to a role, not a person (e.g., [email protected]). This avoids access problems when the person who set it up leaves the business.

Set the Master Password Policy

All three major platforms allow you to enforce password policy for the master password. Set a minimum of:

  • 12 characters (14 or more is preferable)
  • Mixed case, numbers, and symbols
  • Prevent reuse of the last five passwords

Remind staff that the master password is the one password they need to remember — it should be a passphrase, not a complex string they’ll write down.

Configure SSO If Applicable

If your business uses Azure Active Directory, Google Workspace, or Okta, configure SSO before inviting users. This means staff log into the password manager using the same credentials they use for everything else — reducing friction and improving adoption. LastPass Business and 1Password Business both support SAML 2.0 and OIDC SSO.

Enable MFA as a Requirement

Do not make MFA optional. Require it at the organisation level. TOTP (Google Authenticator, Authy, Microsoft Authenticator) is acceptable for most businesses. If you handle particularly sensitive data, consider requiring FIDO2 hardware keys (YubiKey) for your admin accounts at minimum.

Set Up Emergency Access and Account Recovery

Decide what happens when a member of staff forgets their master password. Options vary by platform:

  • Admin recovery — the admin can reset a user’s vault access (available in LastPass Business)
  • Emergency access contacts — a trusted colleague can request access after a waiting period (1Password, Bitwarden)
  • Account recovery key — a generated recovery code the user stores securely

Document your chosen recovery procedure in writing. This is part of your access control policy and will be reviewed if you pursue ISO 27001 certification.

Create the Vault Structure

Plan your shared vault (or shared folder) structure before you invite anyone. Organise by department or function rather than individual users. Typical structures include:

  • Finance — accounts payable portals, banking, payroll system
  • Marketing — social media accounts, CMS, ad platforms
  • IT / Infrastructure — server credentials, domain registrar, hosting panel, DNS
  • Operations — shared services (Royal Mail OBA, supplier portals, etc.)
  • Executives — board-level access credentials

Assign vault access to groups, not individuals. This makes offboarding clean and immediate.

Phase 3: User Provisioning

With the admin environment configured, you’re ready to bring users in. Do this in batches — don’t invite everyone on the same day unless your organisation is very small.

SCIM Auto-Provisioning

If you’re using LastPass Business or 1Password Business with Azure AD or Okta, enable SCIM provisioning. This means users are automatically created in the password manager when you add them to the relevant group in your identity provider — and automatically deprovisioned when they leave. It removes the manual admin overhead and eliminates the risk of forgetting to revoke vault access on departure.

Manual Invite Flow

Without SCIM, you’ll invite users by email through the admin console. Batch your invites by department and send them with a short notice period (two to three days) so staff aren’t caught off guard.

Onboarding Communication

Send a brief email to each batch of users before their invite arrives. Include:

  • What the tool is and why the business is rolling it out
  • That an invite email is coming from the password manager (so it doesn’t get marked as spam)
  • What they need to do: install the browser extension and mobile app, set their master password, enable MFA
  • A deadline — something specific like “please complete setup by [date]”
  • Who to contact if they have a problem

Keep it short. Staff don’t read long emails about IT changes. If it’s more than 150 words, cut it down.

Phase 4: Migration

Migration is the most time-consuming phase, but breaking it into clear categories makes it manageable.

Importing Individual Passwords

All three major platforms accept CSV imports. The process for each browser:

  1. Chrome / Edge: Go to Settings > Passwords > Export. This generates a CSV with URL, username, and password columns.
  2. Firefox: Settings > Privacy & Security > Saved Logins > Export Logins.
  3. Previous password manager: Most managers have a native export function. Import directly into the new platform, then delete the export file from the local machine immediately.

Instruct staff to import their own personal-to-work passwords themselves. Don’t ask staff to send you their CSV — that would create exactly the kind of unencrypted credentials file you’re trying to eliminate.

Shared Passwords

Shared credentials are the riskiest category. These are the passwords that five people know and nobody changes because nobody is sure who owns them. Move these into shared vaults with the correct access controls as part of admin setup, and communicate clearly to the relevant teams that the vault entry is now the canonical source of truth. Remove the shared spreadsheet or document as soon as the vault entry is confirmed to work.

Service Accounts and Admin Credentials

Server passwords, domain admin credentials, firewall access, registrar logins, cloud provider root accounts — these should go into a restricted vault with minimal access. Apply the principle of least privilege: only the people who genuinely need access to a credential should have it. If in doubt, restrict access and grant on request rather than granting broadly by default.

Phase 5: Training and Adoption

Staff adoption is the single most common reason password manager rollouts fail. The tool can be perfect; if people don’t use it, it provides no protection.

Run a Short Walkthrough Session

Book a 30-minute session — not a lecture, a hands-on walkthrough. Screen-share the browser extension and show staff three things:

  1. How to save a new password when logging into a site
  2. How to autofill a saved password
  3. How to use the mobile app

That’s it. Don’t cover every feature. Keep it to what staff will use in the first week. Advanced features (secure notes, password sharing, travel mode) can come later.

Set a Clear Migration Deadline

Give staff a specific date by which all work passwords should be in the vault — typically two to four weeks after their invite. Make it clear that after this date, IT will no longer support retrieval of passwords stored outside the manager.

Use the Security Dashboard

Both LastPass Business and 1Password Business provide a security score dashboard showing weak, reused, and compromised passwords. Share this with staff individually — not as a public leaderboard, but as a personal briefing. Most people are genuinely surprised how many of their passwords are weak or reused. Making it personal is far more effective than a generic reminder email.

Measure Adoption

Use the admin console to track how many users have:

  • Accepted their invite and set up the vault
  • Installed the browser extension
  • Enabled MFA
  • Imported at least one password

Chase non-adopters directly before the deadline. A brief personal message is more effective than a blanket reminder to all staff.

Phase 6: Ongoing Management

The rollout is complete, but ongoing management is what keeps the programme effective. Build the following into your IT calendar.

Quarterly Access Review

Every quarter, review who has access to which shared vaults and whether that access is still appropriate. This is particularly important for staff who have changed roles since the rollout. A quarterly access review is a specific requirement under ISO 27001 Annex A.5.18 (Access rights) and provides documented evidence for your auditor.

Offboarding Procedure

Vault revocation should be part of your standard offboarding checklist, executed on the day of departure — not at the end of the week, not when IT gets around to it. If you have SCIM provisioning, this happens automatically when you remove the user from the relevant identity provider group. Without SCIM, you need a manual step in your offboarding checklist. Document it and own it.

Before revoking access, transfer ownership of any individually-held vault entries that the business needs. A departing user’s personal vault section is theirs to take — but any work credentials in shared vaults remain with the organisation.

Annual Policy Review

Review your password management policy annually. Check:

  • Whether your password complexity requirements still meet current NCSC guidance
  • Whether your product’s pricing or feature set still represents best value
  • Whether any shared vault entries are stale (unused accounts that should be deleted)
  • Whether your recovery and emergency access procedures are still fit for purpose

See our password manager policy template for UK businesses for a starting point you can adapt for your own documentation.

ISO 27001 Compliance Evidence

If your business is working towards ISO 27001 certification, or is already certified, completing this rollout gives you documented operational evidence against two specific controls:

  • Annex A.5.17 — Authentication information: Covers the management of secret authentication information including passwords. A deployed password manager with enforced policy, MFA, and documented procedures directly satisfies this control.
  • Annex A.5.18 — Access rights: Requires that access rights are provisioned, reviewed, modified, and removed in a controlled way. Your quarterly access review and offboarding procedure provide the documented evidence required.

The key word is documented. The password manager admin console gives you audit logs, provisioning records, and adoption metrics. Export and retain these as part of your ISO evidence pack. For a fuller picture of how password management maps to ISO 27001, see our password managers and ISO 27001 compliance guide.

Summary: Your Six-Phase Checklist

  1. Plan: Audit credentials, define scope, choose product, get leadership buy-in
  2. Configure admin: Password policy, SSO, MFA, recovery procedure, vault structure
  3. Provision users: SCIM or manual invite, onboarding comms, installation deadline
  4. Migrate: Individual import, shared vaults, restricted admin credentials
  5. Train and measure: 30-minute walkthrough, migration deadline, security dashboard, adoption tracking
  6. Maintain: Quarterly access review, offboarding procedure, annual policy review

A realistic timeline for a business of 20–50 people is four to six weeks from admin setup to full adoption. Larger organisations with multiple departments or complex SSO environments should allow eight to twelve weeks. The investment is worth it: credential theft and password reuse account for a significant proportion of SMB data breaches in the UK, and this single change addresses the risk more comprehensively than almost anything else in your security toolkit.

Sign Up For Daily Newsletter

Stay updated with our weekly newsletter. Subscribe now to never miss an update!

[mc4wp_form]

Leave a Reply

Your email address will not be published. Required fields are marked *