With 1Password Business, you can bring single sign-on (SSO) authentication to your team members by connecting Microsoft Entra ID (previously Azure AD) with 1Password using Unlock with SSO.
Unlock with SSO doesn’t include automated provisioning. If you want to create users and groups, manage access, and suspend 1Password users with your identity provider, learn how to automate provisioning using SCIM.
This guide will help you set up a public client, which does not support Conditional Access policies. To use Conditional Access policies, set up a private client instead.
Before you begin
Before you can set up Unlock with SSO, you’ll need to:
- Make sure team members have the following versions installed on their computers and mobile devices:
- 1Password browser extension
- 1Password 8 for iOS or Android
- 1Password 8 for Mac, Windows, or Linux
- 1Password CLI (optional)
- Be an administrator in your 1Password Business account. Owners currently cannot unlock with SSO.
- Have Application Administrator and Group Administrator privileges in Microsoft Entra ID.
After you have these prerequisites, follow the steps below.
These steps were recorded in April 2023 and may have changed since. Refer to the Microsoft documentation for the most up-to-date steps.
Step 1: Add the 1Password SSO application to Entra ID
To get started, sign in to your account on the Microsoft Azure portal then follow these steps:
- Search for and select Microsoft Entra ID.
- Under Manage, select App registrations then click New registration.
- Enter a name for your application.
- Select your preferred supported account types.
- Leave the Redirect URI field blank. You’ll fill it out later.
- Click Register to create the application.
You’ll see the details of the application you just created. Keep this open for the next step.
Step 2: Configure Unlock with SSO
Important
The changes you make below won’t be saved until you successfully authenticate with Microsoft. This prevents you from locking yourself out of 1Password.
2.1: Set up Unlock with SSO
- Open a new browser tab or window and sign in to your account on 1Password.com.
- Click Policies in the sidebar.
- Click Manage under Configure Identity Provider.
- Follow the onscreen instructions to set up Unlock with SSO.
- Find your Application ID on the overview page of the application you created in step 1.
- Find your OpenID configuration document URL by navigating to the endpoints tab of the overview page and copying the OpenID Connect metadata document.
2.2: Configure the Entra ID application
From the app overview page you’re taken to after completing step 1:
- In the sidebar under Manage, click Authentication.
- Under “Platform configurations”, select Add a platform, then choose Single-page application.
- Copy and paste the first URI from your Configure Identity Provider page.
- Leave the Front-channel logout URL field blank.
- Select ID tokens under “Implicit grant and hybrid flows”.
- Click Configure.
- Select Add a platform again, then choose Mobile and desktop applications.
- Copy and paste the second URI from your Configure Identity Provider page into the Custom redirect URIs field.
- Leave other redirect URI options deselected.
- Click Configure.
2.3: Configure API permissions
- Click API permissions in the sidebar.
- Click Add a permission.
- Click Microsoft Graph then Delegated permissions.
- Under “OpenId permission”, select email, openid, and profile.
- Click Add permissions.
Optional: You can click Grant admin consent to give tenant-wide consent for the 1Password application. Otherwise each user will grant consent the first time they use Unlock 1Password with Microsoft. 1Password asks only for read access to the permissions listed above.
Important
For a user to sign in to 1Password with Microsoft, the email listed in Entra ID must match the email associated with their 1Password account. Note that their User Principal Name can be different.
2.4: Configure required claims
1Password requires the sub
, name
, and email
claims from Entra ID. By default, Entra ID provides a subject
claim, which maps the name
and email
user properties automatically. 1Password will attempt to match users with the sub
property in Entra ID. If this fails, it falls back to the email
property.
If your users have an email property that differs from their User Principal Name (UPN), you must create an optional upn
claim for the OIDC ID Token. An email
claim is still required after you add a upn
claim.
- Select the app registration you created earlier.
- Click Token configuration in the sidebar.
- Click Add optional claim.
- Choose ID.
- Scroll down and check UPN, then click Add.
Learn more about providing optional claims in Entra ID.
2.5: Test the connection
Once you’ve configured your settings, go back to the Configure Identity Provider page and test the connection. You’ll be directed to Microsoft to sign in, then redirected to 1Password to sign in. This verifies connectivity between 1Password and Microsoft.
Step 3: Specify which team members will unlock 1Password with Microsoft and set a grace period
After you configure Unlock with SSO, you’ll be redirected to the settings page in your 1Password account. Before you configure your settings, you’ll need to create groups for the team members who will unlock 1Password with Microsoft:
Give the group a descriptive name, like "Microsoft SSO", for clarity.
Add team members to the group.
If you plan to invite additional team members to test Unlock with Microsoft at a later date, create a new custom group for each additional set of testers.
The group(s) you create don’t have to be permanent, and you can eventually set your whole team to unlock with SSO once some groups have successfully migrated.
3.1: Choose who will unlock with Microsoft
Important
Users in the owners group can’t unlock with Microsoft and will continue to sign in to 1Password using their account password and Secret Key. This helps safeguard them from being locked out in the event that they can’t access their linked apps and browsers and no one can recover them.
Learn more about implementing a recovery plan for your team.
By default, “People unlocking 1Password with an identity provider” is set to “No one”. This allows you to gradually migrate your team to unlock with Microsoft. To specify which team members will unlock 1Password with Microsoft, select one of the options:
- No one: To turn off Unlock with Microsoft, select No one.
- Selected groups (recommended): Only the team members in groups you choose will sign in with Microsoft. Learn how to use custom groups in 1Password Business.
- Everyone except guests: All team members, except owners and guests, will sign in with Microsoft. All existing users will be prompted to switch to Unlock with Microsoft, and all new users will use their Microsoft username and password when joining 1Password. Guests and owners will sign in with an account password and Secret Key.
- Everyone (not recommended): Guests and all team members, except owners, will sign in with Microsoft. All existing users will be prompted to switch to Unlock with Microsoft, and all new users will use their Microsoft username and password when joining 1Password.
3.2: Set a grace period
Team members who already have 1Password accounts will need to switch to unlock with Microsoft. Specify the number of days before team members must switch. Consider the following when you set the grace period:
- By default, the grace period is set to 5 days. It can be set to 1 to 30 days.
- The grace period begins when an administrator adds a group after they choose the Selected groups option or when an administrator configures Unlock with Microsoft for everyone on the team. You’ll see the grace period listed next to each group configured to unlock with Microsoft.
- If a team member belongs to more than one group, their grace period is determined by the first group set up with SSO, even if the grace periods are different for those groups.
- If you add a user to a group with an expired grace period, you or another administrator will need to recover their account so they can set up unlock with SSO.
- If you edit the length of the grace period, it will be prolonged or shortened from the original configuration date. The grace period count doesn’t reset to zero when updated.
- If you plan to have more team members unlock with Microsoft after initial configuration, it’s best to create a new custom group with its own grace period. This will make sure newly assigned team members won’t need their accounts recovered.
Important
If a team member doesn’t migrate to Unlock with Microsoft before the end of the grace period, they’ll be signed out of all their devices and must contact an administrator to recover their account.
Optional: Add 1Password to the Microsoft My Apps page
You can add 1Password to the My Apps page so your team can quickly open your sign-in address from there:
- Sign in to the Microsoft Azure portal.
- Click Microsoft Entra ID, then select App registrations in the sidebar.
- Click the 1Password SSO app registration.
- Choose Branding & Properties from the sidebar.
- Enter your team’s sign-in address in the “Home page URL” field.
- Return to Microsoft Entra ID, then choose Enterprise applications in the sidebar.
- Click the app you just configured.
- Choose Properties under Manage in the sidebar, then make sure Visible to users? is set to Yes.
Manage settings
To manage your settings, sign in to your account on 1Password.com, then click Policies and choose Manage under Configure Identity Provider.
Configuration
To change your configuration with Entra ID, click Edit Configuration, then follow the onscreen instructions to set up Unlock with SSO. You can only set up one identity provider to unlock with SSO.
You can only save an identity provider configuration after you've successfully tested the connection. Changes won't be saved if you can't successfully authenticate with Microsoft. This prevents locking yourself out of 1Password.
People assignments and biometrics
Click Edit at the bottom of the settings page to change which users are assigned to unlock 1Password with Microsoft.
- To specify which team members will unlock 1Password with Microsoft, select No one, Selected groups, Everyone except guests, or Everyone.
"Selected groups" is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with Microsoft, select No one.
- Specify the number of days before team members must switch to unlocking with Microsoft.
The default grace period is 5 days. If a team member doesn't migrate to Unlock with Microsoft before the end of the grace period, they must contact their administrator to recover their account.
- To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select Allow people to unlock 1Password using biometrics. Specify the number of days or weeks before they’ll be asked to sign in to Microsoft again.
When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.
Click Review Changes to verify your choices, then click Save.
Next steps
To use Unlock with Microsoft yourself, get started with Unlock 1Password with Microsoft as a team member.
Learn how to unlock 1Password with Microsoft on all of your devices and link additional apps and browsers to your account.
Tip
If your IT team has a policy that clears browsing data when a browser is closed, exclude your team’s sign-in address from that policy to make sure your team members won’t lose access to their linked browsers.
You can also encourage your team to link other apps and browsers to their accounts, like the 1Password desktop app, after they sign up or switch to unlock with SSO.
Get help
You can find your Application ID and OpenID configuration document URL on the overview page of the application you created in step 1.
If a team member is moved from a group that unlocks with Microsoft to one that doesn’t, they’ll be prompted to create an account password and download their Emergency Kit.
If you or one of your users see “400: invalid User Info endpoint or request” when you test the connection to Entra ID or link an app or browser for the first time, make sure the user’s DisplayName, GivenName, or FamilyName in Entra ID doesn’t contain any of the following characters: <>%\"\\;[]{}
Get help if you need to switch to a new identity provider after you set up Unlock with SSO.