Set up 1Password hosted provisioning with Entra ID (beta)

With 1Password Business, you can integrate 1Password with Microsoft Entra ID to automate many common administrative tasks:

Provision users

• Create users: Assigned users and groups will be provisioned to 1Password.
• Update user attributes: Changing user attributes in your directory will change the mapped attributes in 1Password.
• Deactivate users: Disabling a user or removing their assignment in Entra ID will suspend the user in 1Password.

Manage groups

• Assign groups: Assign groups from your directory to sync them to 1Password or manage existing 1Password groups in Entra ID.

To get started, sign in to your account on the Microsoft Azure portal and follow these steps.

Before you begin

Before you can integrate 1Password with Entra ID, you’ll need to:

• Have a premium subscription for the administrator that will manage the 1Password application in Entra ID.
• Be an administrator in your 1Password Business account.

Step 1: Turn on provisioning in 1Password

1. Sign in to your account on 1Password.com.
2. Select Integrations in the sidebar.
3. Select Entra ID in the User Provisioning section.
4. Select Set up hosted provisioning.
5. Save your credentials in 1Password in case you need them later, then select Next.
6. Leave this page open and continue to step 2.

Step 2: Add 1Password as an enterprise application

To add 1Password as an enterprise application in Entra ID:

1. Select Microsoft Entra ID, then select Enterprise applications in the sidebar.
2. Select New application, then choose Create your own application.
3. Enter “1Password EPM” for the name of the app and select Integrate any other application you don’t find in the gallery (Non-gallery). Then select Create.

You’ll see the details of the application you just created. Continue to the next section to configure it.

If you use unlock with SSO, you'll also need to configure the enterprise application you just created for SSO.

Step 3: Configure the application

On the 1Password EPM application details page:

1. Select Users and groups in the sidebar, then add a test user or group you want to provision to 1Password. You can add all the users and groups you want to provision after you test the integration.
2. Select Provisioning in the sidebar, then select Connect your application.
3. Fill out the following fields:
   • Tenant URL: Copy and paste your SCIM URL from the hosted provisioning setup page (not your 1Password account sign-in address). Do not include a trailing slash. For example: https://provisioning.dev.us.svc.1infrapreview.net/scim/v2.
   • Secret token: Copy and paste your bearer token from the hosted provisioning setup page.
4. Select Test Connection, then select Create and wait a moment for it to be created.

3.1: Customize attribute mappings

1. Select Attribute mapping in the sidebar.
2. Select Provision Microsoft Entra ID Users.
3. Find the userName attribute in the customappsso column and select Edit.
4. Change the source attribute from userPrincipalName to mail.

   If you choose a different Entra ID source attribute, make sure it's a routable email address.

5. Select Ok.
6. Select Save then select X in the top right.

Learn more about the required attributes and recommended mappings.

3.2: Test provisioning

1. Select Provision on demand in the sidebar.
2. Enter the name of the user or group that you chose in step 2. If you chose a group, make sure to select users in the group.
3. Select Provision.

Review the results of this test to make the selected users and groups were synced to 1Password, then continue to the next step

3.3: Scope users and turn on provisioning

When you’re ready to turn on provisioning:

1. From the sidebar, select Users and groups and add the users and groups you want to provision. The users and groups you select will immediately sync after the next step and new users will receive an invitation email.
2. From the sidebar, select Overview > Start provisioning.

Next steps

When you turn on provisioning, existing 1Password users will be linked to Entra ID users if their email address matches. If their email address is different, they’ll be invited to 1Password again, so make sure any affected team members update their email address before you turn on provisioning.

If a team member hasn’t accepted their invite after 2 days, they’ll receive a reminder email. Invites don’t expire.

If you have existing groups in 1Password that you want to sync with Entra ID, add them to the groups managed by provisioning:

1. Sign in to your account on 1Password.com.
2. Choose Integrations in the sidebar and choose Automated User Provisioning.
3. Choose Manage in the Managed Groups section, then select the groups to sync.

If you've previously used the SCIM bridge, make sure to select any groups that were already synced with Entra ID. This will prevent problems syncing with your identity provider, including duplicate groups.

Get help

If you need to manage team members with 1Password CLI, you’ll need to turn off hosted provisioning. You’ll be able to use 1Password CLI and hosted provisioning together in the future.

If users and groups aren’t being provisioned, make sure provisioning is turned on in your 1Password account:

1. Sign in to your account on 1Password.com.
2. Select Integrations in the sidebar.
3. Select Hosted Provisioning.
4. Make sure Sync 1Password with my identity provider is turned on.

Learn more

• (Microsoft Entra ID) Check the status of user provisioning
• Configure Unlock 1Password with Microsoft Entra ID

Appendix: Attribute mappings

Non-gallery applications in Entra ID include a default set of attribute mappings. The following attribute mappings are required for 1Password automated provisioning:

Learn how to customize user provisioning attribute-mappings in Entra ID.