Teams and business

Entsperren von 1Password mit Microsoft Entra ID konfigurieren

Learn how to set up 1Password to unlock with Microsoft Entra ID.

With 1Password Business, you can bring single sign-on (SSO) authentication to your team members by connecting Microsoft Entra ID (previously Azure AD) with 1Password using Unlock with SSO.

Unlock with SSO doesn’t include automated provisioning. If you want to create users and groups, manage access, and suspend 1Password users with your identity provider, learn how to automate provisioning using SCIM.

This guide will help you set up a private client, which supports Conditional Access policies. If you don’t need to use Conditional Access policies, you can set up a public client instead.

Before you begin

Before you begin, review the considerations and requirements for Unlock with SSO. You’ll also need to:

  • Have Application Administrator and Group Administrator privileges in Microsoft Entra ID.
  • Be on an Entra ID plan that includes SSO.

These steps were recorded in December 2024 and may have changed since. Refer to the Microsoft documentation  for the most up-to-date steps.

Schritt 1: Füge die 1Password-Anwendung zu Entra ID hinzu

To get started, sign in to your account on the Microsoft Azure portal, then follow these steps.

1.1: Eine Unternehmensanwendung erstellen

If you already use automated provisioning with Entra ID, search for the existing enterprise application in the Microsoft Azure portal, then follow step 1.2.

Falls du die automatische Bereitstellung nicht verwendest, füge 1Password als Unternehmensanwendung in Entra ID hinzu:

  1. Select Microsoft Entra ID, then select Enterprise applications  in the sidebar.
  2. Wähle Neue Anwendung aus, wähle dann Deine eigene Anwendung erstellen aus.
  3. Enter “1Password EPM” for the name of the app and select Integrate any other application you don’t find in the gallery (Non-gallery). Then select Create.

You’ll see the details of the application you just created. Continue to the next section to configure it.

1.2: Öffne die App-Registrierung für 1Password

  1. Go to the app registrations page and select All applications, then choose 1Password EPM.
  2. Copy the Application (client) ID to a temporary file in a text editor. You’ll need it for step 2.1.
  3. Select Certificates & secrets in the sidebar.
  4. Select New client secret. Give the secret a name, such as “1Password SSO”.
  5. Select Add. Leave this page open for when you need the application secret in step 2.1.

Wichtig

The Entra ID application secret has an expiration date. To make sure your team can continue to sign in with Microsoft, create a new secret and update it in 1Password’s settings at least a few days before the current secret expires. Set reminders to rotate your secret to make sure you don’t get locked out of your account.

Schritt 2: Entsperren mit SSO konfigurieren

Wichtig

The changes you make below won’t be saved until you successfully authenticate with Microsoft. This prevents you from losing access to 1Password.

2.1: Richte Unlock mit SSO ein

  1. Open a new browser tab and sign in to your account on 1Password.com.
  2. Click Policies in the sidebar.
  3. Click Manage under Configure Identity Provider.
  4. Choose Microsoft Entra ID, then click Next.
  5. Auf der Seite mit den Anwendungsdetails füllst du die folgenden Felder aus:
    • Application ID: Paste the Application (client) ID for the application you created in step 1.
    • OpenID configuration document URL: Click Endpoints on the Overview page for your application and copy and paste the OpenID Connect metadata document field.
    • Client Type: Choose Private Client.
    • Application Secret: Copy and paste the secret you created in step 1.2.
  6. Click Next and copy the Redirect URI, then leave this page open and continue to step 2.2.

2.2: Konfiguriere die Entra ID-Anwendung

Go back to the browser tab you had open for step 1, then follow these steps:

  1. In the sidebar under Manage, click Authentication.
  2. Under “Platform configurations”, select Add a platform, then choose Web and fill out the following fields.
  3. Paste the redirect URI from your Configure Identity Provider page in your other browser tab.
  4. Leave the Front-channel logout URL field blank.
  5. Select ID tokens under “Implicit grant and hybrid flows”.
  6. Click Configure.

2.3: API-Berechtigungen konfigurieren

  1. Click API permissions in the sidebar.
  2. Click Add a permission.
  3. Click Microsoft Graph then Delegated permissions.
  4. Wähle unter „OpenId-Berechtigung“ email, openid und profile aus.
  5. Click Add permissions.
  6. Click Grant admin consent to give tenant-wide consent for the 1Password application. 1Password asks only for read access to the permissions listed above.

Wichtig

For a user to sign in to 1Password with Microsoft, the email listed in Entra ID must match the email associated with their 1Password account. Note that their User Principal Name can be different.

2.4: Configure required claims

1Password requires the sub, name, and email claims from Entra ID. By default, Entra ID provides a subject claim, which maps the name and email user properties automatically. 1Password will attempt to match users with the sub property in Entra ID. If this fails, it falls back to the email property.

If your users have an email property that differs from their User Principal Name (UPN), you must create an optional upn claim for the OIDC ID Token. An email claim is still required after you add a upn claim.

  1. Select the app registration you created earlier.
  2. Click Token configuration in the sidebar.
  3. Click Add optional claim.
  4. Choose ID.
  5. Scroll down and check UPN, then click Add.

Learn more about providing optional claims in Entra ID.

2.5: Teste die Verbindung

After you’ve configured your settings, go back to the Configure Identity Provider page and test the connection. You’ll be directed to Microsoft to sign in, then redirected to 1Password to sign in. This verifies connectivity between 1Password and Microsoft.

Schritt 3: Bestimme, welche Teammitglieder 1Password mit Microsoft entsperren werden, und setze eine Kulanzfrist

Wichtig

Existing team members need to sign in to 1Password with their account password and Secret Key before switching to Unlock with SSO. If your organization has turned off Emergency Kits or has a browser cache clearing policy, this could result in mass recoveries needed for users who don’t have their sign-in details.

Team members will prompted to sign in with SSO during the recovery process.

After you configure Unlock with SSO, you’ll be redirected to the settings page in your 1Password account. Before you configure your settings, you’ll need to create groups for the team members who will unlock 1Password with Microsoft:

  1. Create a custom group.

    Give the group a descriptive name, like "Microsoft SSO", for clarity.

  2. Add team members to the group.

    If you plan to invite additional team members to test Unlock with Microsoft at a later date, create a new custom group for each additional set of testers.

The group(s) you create don’t have to be permanent, and you can eventually set your whole team to unlock with SSO once some groups have successfully migrated.

3.1: Choose who will unlock with Microsoft

Wichtig

Users in the owners group can’t unlock with Microsoft and will continue to sign in to 1Password using their account password and Secret Key. This helps safeguard them from being locked out in the event that they can’t access their linked apps and browsers and no one can recover them.

Learn more about implementing a recovery plan for your team.

Standardmäßig ist „Personen, die 1Password mit einem Identitätsanbieter entsperren“ auf „Niemand“ gesetzt. Dies ermöglicht es dir, dein Team schrittweise auf die Freischaltung mit Microsoft umzustellen. Um festzulegen, welche Teammitglieder 1Password mit Microsoft entsperren, wähle eine der Optionen:

  • No one: To turn off Unlock with Microsoft, select No one.
  • Only groups you select: Only the team members in groups you choose will sign in with Microsoft. Learn how to use custom groups in 1Password Business.
  • Everyone except: groups you exclude: All team members, except owners and groups you choose to exclude, will sign in with Microsoft. Existing users in this scope will be prompted to switch to Unlock with Microsoft. New users, except those in excluded groups, will use their Microsoft username and password when joining 1Password. Owners will sign in with an account password and Secret Key.
  • Everyone except: guests: All team members, except owners and guests, will sign in with Microsoft. All existing users will be prompted to switch to Unlock with Microsoft, and all new users will use their Microsoft username and password when joining 1Password. Guests and owners will sign in with an account password and Secret Key.
  • Everyone: Guests and all team members, except owners, will sign in with Microsoft. All existing users will be prompted to switch to Unlock with Microsoft, and all new users will use their Microsoft username and password when joining 1Password.

3.2: Eine Nachfrist festlegen

Team members who already have 1Password accounts will need to switch to unlock with Microsoft. Specify the number of days before team members must switch. Consider the following when you set the grace period:

  • By default, the grace period is set to 5 days. It can be set to 1 to 30 days.
  • The grace period begins when an administrator adds a group after they choose the Only groups you select option or when an administrator configures Unlock with Microsoft for everyone on the team. You’ll see the grace period listed next to each group configured to unlock with Microsoft.
  • If a team member belongs to more than one group, their grace period is determined by the first group set up with SSO, even if the grace periods are different for those groups.
  • If you add a team member who hasn’t set up unlock with SSO to a group with an expired grace period, you or another administrator will need to recover their account so they can sign in again using SSO.
  • If you edit the length of the grace period, it’ll be prolonged or shortened from the original date you configured the group to unlock with SSO.
  • If you need to configure more team members to unlock with Microsoft after the initial setup, create a new custom group with an active grace period. This will make sure newly assigned team members won’t need their accounts recovered.

Wichtig

If a team member doesn’t migrate to Unlock with Microsoft before the end of the grace period, they won’t be able to sign in to their account on their devices and must contact an administrator to recover their account. The team member will switch to unlock with Microsoft during the recovery process.

Optional: Füge 1Password zur Microsoft My Apps-Seite hinzu

Du kannst 1Password zur Seite Meine Apps hinzufügen, damit dein Team schnell eure Anmeldeadresse von dort aus öffnen kann:

  1. Sign in to the Microsoft Azure portal. 
  2. Click Microsoft Entra ID, then select Enterprise applications in the sidebar.
  3. Click the 1Password EPM enterprise application.
  4. Click Single sign-on in the sidebar.
  5. Select Linked for the single sign-on method.
  6. Enter your team’s sign-in address in the “Sign on URL” field.
  7. Click Save.

Manage settings

To manage your settings, sign in to your account on 1Password.com, then select Policies in the sidebar and select Manage under Configure Identity Provider.

Konfiguration

To change your configuration with Microsoft, select Edit Configuration, then follow the onscreen instructions to set up Unlock with SSO. You can only set up one identity provider to unlock with SSO.

You can only save an identity provider configuration after you've successfully tested the connection. Changes won't be saved if you can't successfully authenticate with Microsoft. This prevents you from losing access to 1Password.

Personenzuweisungen und Biometrie

Select Edit at the bottom of the settings page to change which users are assigned to unlock 1Password with Microsoft.

  • To specify which team members will unlock 1Password with Microsoft, choose an option in the Who can unlock 1Password with an identity provider section.

    "Only groups you select" is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with SSO, select No one.

  • Specify the number of days before team members must switch to unlocking with Microsoft.

    The default grace period is 5 days. If a team member doesn't migrate to Unlock with Microsoft before the end of the grace period, they must contact their administrator to recover their account.

  • To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select Allow people to unlock 1Password using biometrics. Specify the number of days or weeks before they’ll be asked to sign in to Microsoft again.

    When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.

Select Review Changes to verify your choices, then select Save.

Next steps

To use Unlock with Microsoft yourself, get started with Unlock 1Password with Microsoft as a team member.

Learn how to unlock 1Password with Microsoft on all of your devices and link additional apps and browsers to your account.

Tip

If your IT team has a policy that clears browsing data when a browser is closed, exclude your team’s sign-in address from that policy to make sure your team members won’t lose access to their linked browsers.

You can also encourage your team to link other apps and browsers to their accounts, like the 1Password desktop app, after they sign up or switch to unlock with SSO.

Aktualisiere das Entra ID-Anwendungsgeheimnis

Before your Entra ID application secret expires, you’ll need to create a new secret and update it in your 1Password settings. We recommend rotating the secret at least a few days before the expiration date to make sure your team can continue to unlock 1Password with Entra ID.

  1. Open the App registrations page in the Microsoft Azure portal.
  2. Select your 1Password app registration, then select Certificates & secrets in the sidebar.
  3. Choose New client secret, enter a name in the Description field, and click Add.
  4. Click the copy button beside the Value field to copy the new secret.
  5. Open a new browser tab or window and sign in to your account on 1Password.com.
  6. Click Policies in the sidebar.
  7. Click Manage under Configure Identity Provider.
  8. Click Edit Configuration.
  9. Paste the new secret in Entra ID in the Application Secret field.
  10. Scroll down and select Test connection.

After you successfully connect to Microsoft, click Save Configuration. Then go back to the “Certificates & secrets” page in Entra ID and click the trash beside the old secret to delete it.

Set reminders to rotate secrets

You can set reminders to rotate secrets before they expire to help prevent lockouts and disruption to your workflows:

  • Store secrets and set expiry alerts in 1Password: Create an item in 1Password for your Entra ID client secret and configure built-in expiry alerts to remind you when a secret is going to expire.
  • Schedule calendar or project management reminders: Add a client secret rotation task to a shared calendar at least a few days before the secret expires, or track it in your project management system (like Jira or Asana) to prevent lockouts.

Get help

You can find your Application ID and OpenID configuration document URL on the overview page of the application you created in step 1.

If a team member is moved from a group that unlocks with Microsoft to one that doesn’t, they’ll be prompted to create an account password and download their Emergency Kit.

If your team is having issues with Conditional Access policies and you’re using a public application in Entra ID, you’ll need to update your integration.

If you or one of your users see “400: invalid User Info endpoint or request” when you test the connection to Entra ID or link an app or browser to your 1Password account for the first time, make sure the user’s DisplayName, GivenName, or FamilyName in Entra ID doesn’t contain any of the following characters: <>%\"\\;[]{}

Get help if you need to switch to a new identity provider after you set up Unlock with SSO.

Learn more


Published: