With 1Password Device Trust (formerly Kolide) and Microsoft Entra ID , you can make sure every device is known, secure, and compliant before it can access company applications, and empower your team to remediate their own device health issues with step-by-step instructions.
Before you begin
Before you can set up Device Trust and Entra ID, you’ll need:
1Password Extended Access Management. Device Trust is included with this subscription.
- To sign up for 1Password Extended Access Management, contact the 1Password Sales team.
A Microsoft Entra plan with a P1 license or higher.
Access permissions in Entra ID for the following roles:
- Application Administrator
- Authentication Administrator
- Authentication Policy Administrator
- Conditional Access Administrator
- Groups Administrator
The Device Trust and Entra ID implementation doesn’t support:
- Guest-user logins
- Cross-tenant users
- External authentication methods for Azure Government Cloud
These steps were recorded in October 2024 and may have changed since. Refer to the Microsoft Entra ID documentation for the most up-to-date steps.
Step 1: Configure the external authentication method
Step 1.1: Create a 1Password Device Trust enabled group in Entra ID for testing
To test the implementation and make sure it works the way you want it to, first create a 1Password Extended Access Management-enabled group with test users.
- Open two browser windows side-by-side. In one window, sign in to 1Password Device Trust (formerly Kolide).
- In the second window, sign in to Entra ID .
- In Entra ID, select Groups in the sidebar, then select New group.
- Fill out the fields, including:
- Group type: Select Security.
- Group name: Enter the name “1Password Device Trust Enabled”.
- Group description: Enter a description of the group. For example: “1Password Extended Access Management Device Trust Enabled Users”.
- Membership type: Choose Assigned.
- Owners: Choose your group owners.
- Members: Choose your test users.
- Select Create.
Step 1.2: Set up an App Registration and External Authentication Method for 1Password Device Trust
Copy and paste the Tenant ID
- In Entra ID, find your organization’s Tenant ID. Select Default Directory at the top of the page, then choose Overview in the sidebar.
- Copy the Tenant ID.
- In Kolide, select your profile in the top-right corner of the page, then select Settings and choose Identity Providers in the sidebar.
- Select Microsoft Entra, then select Set Up Authenticator.
- You’ll see a prompt to enter your Microsoft Entra Tenant ID. Paste the Tenant ID you copied in step 2 into the field and select Discover OIDC Metadata Endpoints. The information will populate into Kolide.
Register the application in Entra ID
- In Entra ID, select Manage > App registrations in the sidebar.
- Select New registration.
- Enter the name “1Password Device Trust Auth” and select Web from the “Select a platform” dropdown.
- In Kolide, copy the Kolide Auth URI and paste it into the Redirect URI field in Entra ID.
- Select Register to create the application.
Add Application Redirect URIs
- After you’ve successfully created the application, select Manage > Authentication in the sidebar.
- In the “Platform configurations” section in Entra ID, select Add a platform, then select Web.
- In Kolide, copy the Issuer URI and paste it into the second Redirect URIs field in Entra ID.
- Select Add URI again in the Web section of the page in Entra ID.
- In Kolide, copy the Authorization URL and paste it into the third Redirect URIs field in Entra ID.
- In Entra ID, select Save at the bottom of the page to update the application.
Add an external authentication method in Entra ID
- In Entra ID, select Overview in the sidebar.
- In the Essentials section, copy the Application (client) ID.
- Select Default Directory at the top of the page, then select Security in the sidebar.
- Choose Manage in the sidebar, then select Authentication methods.
- Select Add external method, then paste the Application (client) ID you copied in step 2 into the App ID field.
- Enter a name for the external authentication method, like “1Password Device Trust”. This name cannot be changed later, and it’s the name your team will see when they choose a multi-factor authentication method.
- In Kolide, copy the Client ID and paste it into the Client ID field in Entra ID.
- In Kolide, copy the Discovery URL and paste it into the Discovery Endpoint field in Entra ID.
- In Entra ID, select Request permission. You’ll see a message that says “Admin consent granted” once the permission request goes through.
You may be asked to sign in again and accept the permissions request.
Add targets
- After admin consent is granted, toggle on Enable in the “Enable and target” section.
- Select Add Target in the “Enable and target” section, then select Add Target and choose Select Targets in the dropdown.
- Find and select the checkbox for the “1Password Device Trust Enabled” group in the list, then choose Select at the bottom of the page.
- Select Save at the bottom of the page.
- Close the “Saving external authentication method” notification, then select X in the top-right corner of the “Authentication methods | Policies” overlay to close it.
Step 2: Configure SAML SSO for 1Password Device Trust
Create a new Enterprise Application in Entra ID
- Select Default Directory at the top of the page in Entra ID, then select Manage > Enterprise applications in the sidebar.
- Select New application, then select Create your own application.
- Enter “1Password Device Trust SSO” for the name of the app.
- Select Integrate any other application you don’t find in the gallery (Non-gallery), then select Create.
Assign the 1Password Device Trust Enabled group
- Select Manage > Users and groups in the sidebar.
- Select Add user/group.
- Choose None Selected.
- Select the checkbox next to the 1Password Device Trust Enabled group, then choose Select.
- Select Assign at the bottom of the page.
Add single sign-on
- Select Manage > Single sign-on in the sidebar.
- Select SAML as the single-sign on method.
Add the Entity ID
- Select Edit within the Basic SAML Configuration box.
- In the Identifier (Entity ID) section, select Add identifier.
- In Kolide, choose Set Up Single Sign On Provider.
- In Kolide, copy the Kolide Entity ID, then paste it into the Enter an identifier field in Entra ID.
- In the Identifier (Entity ID) section, select Add identifier a second time.
- Paste the Kolide Entity ID into the second Enter an identifier field in Entra ID, then change the “app” part of the Kolide Entity ID to “auth”. For example:
- https://app.kolide.com/
- https://auth.kolide.com/
Add the Reply URL
- In Entra ID, select Add reply URL in the Reply URL (Assertion Consumer Service URL) section.
- In Kolide, copy the Kolide ACS URL and paste it into the Enter a reply URL field in Entra ID.
- In Entra ID, select Add reply URL in the Reply URL (Assertion Consumer Service URL) section a second time.
- Paste the Kolide ACS URL into the second Enter a reply URL field in Entra ID, then change the “app” part of the Kolide ACS URL to “auth”. For example:
- https://app.kolide.com/
- https://auth.kolide.com/
- In Entra ID, select Save, then select X in the top-right to close the Basic SAML Configuration overlay.
- Select No, I’ll test later in the “Test single sign-on with 1Password Device Trust SSO” notification.
Configure 1Password Device Trust SSO to link with Entra ID
- In the “Set up 1Password Device Trust SSO” box in Entra ID, copy the Login URL and paste it into the Provider SSO URL field in Kolide.
- In Entra ID, select Download next to Certificate (Base64) in the SAML Certificates box.
- Drag and drop the certificate or copy and paste the contents into the Provider X.509 Certificate box in Kolide.
- In Kolide, select Save Settings.
Step 3: Configure SCIM provisioning for 1Password Device Trust
Set up provisioning
- In Entra ID, select Manage > Provisioning in the sidebar.
- Select Get started.
- Choose Automatic from the “Provisioning Mode” dropdown.
- Select the Admin Credentials dropdown.
- In Kolide, choose Set Up User Provisioning.
- In Kolide, copy the SCIM Connector Base URL and paste it into the Tenant URL field in the Admin Credentials section of Entra ID.
- In Kolide, select Generate Authorization Bearer Token and copy the generated token.
- Paste the bearer token into the Secret Token field in the Admin Credentials section of Entra ID.
- In Entra ID, select Test Connection, then select Save when the testing is complete.
Map attributes
- In Entra ID, select the Mappings dropdown and choose Provision Microsoft Entra ID Users.
- Make sure that the “userName” attribute maps to “userPrincipalName” in the Attribute Mappings table.
- Select Edit for the email attribute.
- Select the Source attribute dropdown and choose userPrincipalName, then select Ok.
- Select Edit for the “externalId” attribute.
- Select the Source attribute dropdown and choose objectID, then select Ok.
- Select Save.
- In Kolide, select I’ve Saved the Token, Finish Set Up.
- In Entra ID, select X in the top-right corner of the Attribute Mapping overlay to close it, then select X in the top-right corner of the Provisioning overlay to close it as well.
Start provisioning
- In Entra ID, select Start Provisioning.
Entra ID has 40-minute provisioning cycles, so you can either start the initial provisioning cycle or wait for it to start.
- In Kolide, select the vertical ellipsis icon , then choose Make Primary.
Step 4: Create a Conditional Access policy
- Select Default Directory at the top of the page, then select Security > Conditional Access in the sidebar.
- Select New policy, then enter “Require 1Password Device Trust (Kolide)” for the name, or a name that meets your internal naming conventions.
- In the Users section, select 0 users and groups selected, then choose Select users and groups and select the checkbox next to Users and groups.
- Select your 1Password Device Trust Enabled group and choose Select.
- In the Target resources section, select 1 app included, then open the Select what this policy applies to dropdown and select No target resources selected.
- Choose Select apps, then select None under Select.
- Select your 1Password Device Trust SSO app and choose Select.
- In the Grant section, select 0 controls selected, then select the checkbox next to Require multifactor authentication and choose Select.
- In the Enable Policy section, select On.
This makes sure that team members are prompted with the Kolide Device Trust verification step.
- Select Create.
As an optional step, you can choose which apps you’d like to include or exclude. To do this, change the Target resources section. Select All cloud apps, or add additional selected apps in the Select section. We recommend you limit your selected apps so you can control which users and apps are using 1Password Device Trust.
The next time a user in your 1Password Device Trust Enabled group signs in to the SSO-controlled resource, Kolide will check the health of their device. If the user passes the device health checks you’ve set up in Kolide, they’ll be able to sign in without taking additional steps. If they fail a check, Kolide will show them how to resolve the issue. After the user has fixed the issues with their device, Kolide will perform an instant recheck so they can sign in.
Step 5: Test Device Trust
To test the Device Trust sign-in process from the perspective of your team:
- Sign in as a user that belongs to your 1Password Device Trust Enabled group.
- As an optional step, pre-install the Kolide agent to simulate pushing the agent out to your devices. This is optional because the user will be prompted to install the agent if it is not present.
- In Kolide, select Downloads in the sidebar.
- Download the installer for your operating system and follow the on-screen instructions through to the success message.
- In the task bar, you’ll see a Kolide icon that appears for about 60 seconds.
- In a new private browser window, go to https://app.kolide.com, or go to any other application included in your new Conditional Access policy to sign in.
A private browser window makes sure the existing session is not cached.
- Sign in with your Microsoft credentials using your username and password without entering a Microsoft Authenticator or other authentication code. Then select I can’t use my Microsoft Authenticator app right now.
- Select Approve with 1Password Device Trust to redirect to Kolide and validate that the Kolide agent is installed.
If the agent was pre-installed on the end-user device, it will register the device. If the agent is not installed, the user will be prompted to download and install the agent before the new device can be registered.
To see how Kolide handles failed checks, first set up device health checks for your team. Then:
- In Kolide, choose the Devices tab and select your device to see if there are any failing checks.
- Select Details on a check that is straightforward to fix, like File Extensions Are Not Visible in Finder.
- Select Actions > Edit Check Settings.
- In the Remediation Strategy section, select Configure.
- Choose Block Immediately and select Save.
- In a new private browser window, go to https://app.kolide.com, or any other application included in your new Conditional Access policy.
- Sign in with your Microsoft credentials using your username and password. However, don’t enter a Microsoft Authenticator or software authenticator code. Then select I can’t use my Microsoft Authenticator app right now.
- Select Approve with 1Password Device Trust to redirect to Kolide. You should be blocked by Kolide based on the check you changed earlier.
- Select Fix this issue, which opens a new table that shows you how to fix the issue.
- Fix the issue, then return to the Kolide window and select I’ve fixed it. Recheck now.
Kolide will run a real-time check to validate that the issue has been fixed before completing the sign-in flow.
As part of future testing, continue to add new users to the 1Password Device Trust Enabled group and have users test the sign-in flow.
Get help
If you need to generate a new bearer token
You can generate a new bearer token for SCIM provisioning at any time by following the instructions in Step 3.
If you can’t authenticate with SAML
After configuring the integration, if you get an error that says Could not authenticate you via SAML
when you try to authenticate with Device Trust, you’ll need to re-download the SAML certificate in Entra ID that you downloaded in Step 2:
- In Kolide, select your profile, then select Settings and choose Identity Providers in the sidebar.
- Select Microsoft Entra, then choose Set Up Single Sign On Provider.
- In Entra ID, select Manage > Enterprise applications in the sidebar.
- Choose your Device Trust application in the list.
- Select Manage > Single sign-on.
- Choose SAML, then select Download next to Certificate (Base64) in the SAML Certificates box.
- Drag and drop the certificate or copy and paste the contents into the Provider X.509 Certificate box in Kolide.
- In Kolide, select Save Settings.
If you’d like to upload the Kolide logo to your Enterprise Application
If you’d like to add the Kolide logo to your app:
- In Entra ID, select Manage > Enterprise applications in the sidebar.
- Choose your Device Trust application in the list.
- Select Manage > Properties.
- Download the Kolide logo.
- Choose Select a file and upload the Kolide logo.
- Select Save.