With 1Password Business, you can set up Unlock with Microsoft Entra ID (previously Azure AD). If you use Conditional Access policies in Entra ID, migrate to a private application in Entra ID and configure the settings in 1Password for the best experience.
Entra ID Conditional Access policies support for 1Password is currently in private beta. Contact your Customer Success Manager or 1Password Support for more information.
These steps were recorded in November 2023 and may have changed since. Refer to the Microsoft documentation for the most up-to-date steps.
Step 1: Create a secret for the 1Password SSO application in Entra ID
To get started, sign in to your account on the Microsoft Azure portal then follow these steps:
- Search for and select Microsoft Entra ID.
- Under Manage, select App registrations, and click your 1Password SSO app registration.
- Choose “Certificates & secrets” in the sidebar.
- Choose “New client secret”. Give the secret a name, such as “1Password SSO”.
- Click Add, then click beside the Value field to copy it. You’ll use this in the next step.
Secrets in Entra ID have an expiration date. To make sure your team can continue to sign in with Microsoft, you’ll need to update this secret in 1Password’s settings before it expires.
Step 2: Update your Unlock with SSO configuration
The changes you make below won’t be saved until you successfully authenticate with Microsoft. This prevents you from locking yourself out of 1Password.
2.1: Update your 1Password settings
- Open a new browser tab or window and sign in to your account on 1Password.com.
- Click Policies in the sidebar.
- Click Manage under Configure Identity Provider.
- Click Edit Configuration.
- Choose Private Client in the Client Type section.
- Paste the secret you created in Entra ID in the Application Secret field.
2.2: Update your Entra ID application
From the app registration page in Entra ID:
- In the sidebar under Manage, click Authentication.
- To remove the old redirect URIs, click beside the platforms, then choose Delete.
- Under “Platform configurations”, select “Add a platform”, then choose Web.
- Copy and paste the Redirect URI from your Configure Identity Provider page in your other browser tab.
- Leave the “Front-channel logout URL” field blank.
- Select “ID tokens” under “Implicit grant and hybrid flows”.
- Click Configure.
2.3: Test the connection
Once you’ve configured your settings, go back to the Configure Identity Provider page and test the connection. You’ll be directed to Microsoft to sign in, then redirected to 1Password to sign in. This verifies connectivity between 1Password and Microsoft.