Teams and business

Configure 1Password Device Trust and Microsoft Entra ID

Learn how to implement 1Password Device Trust (Kolide) with Microsoft Entra ID to secure every device on your team.

With 1Password Device Trust (Kolide) and Microsoft Entra ID , you can make sure every device is known, secure, and compliant before it can access company applications, and empower your team to remediate their own device health issues with step-by-step instructions.

With this integration, you can:

  • Import your Microsoft Entra users and groups.
  • Protect the Kolide admin dashboard with Entra authentication.
  • Allow your users to sign in to Device Trust-protected apps with their Google credentials.

Before you begin

Before you can set up Kolide and Entra ID, you’ll need:

The Kolide and Entra ID implementation doesn’t fully support:

  • Guest-user logins
  • Cross-tenant users (requires that multi-factor authentication claims for cross-tenant users are trusted)
  • External authentication methods for Azure Government Cloud (limited to certain Azure Gov instances)

Important

Known limitation

Depending on your Entra configuration, end users may see multiple authentication options when signing in, which could allow them to bypass Kolide by selecting another method of multi-factor authentication.

These steps were recorded in December 2024 and may have changed since. Refer to the Microsoft Entra ID documentation  for the most up-to-date steps.

Step 1: Configure the external authentication method

Step 1.1: Create a 1Password Device Trust enabled group in Entra ID for testing

To test the implementation and make sure it works the way you want it to, first create a 1Password Extended Access Management-enabled group with test users.

  1. Open two browser windows side-by-side. In one window, sign in to Kolide.
  2. In the second window, sign in to Entra ID .
  3. In Entra ID, select Groups in the sidebar, then select New group.
  4. Fill out the fields, including:
    • Group type: Select Security.
    • Group name: Enter the name “1Password Device Trust Enabled”.
    • Group description: Enter a description of the group. For example: “1Password Extended Access Management Device Trust Enabled Users”.
    • Membership type: Choose Assigned.
    • Owners: Choose your group owners.
    • Members: Choose your test users.
  5. Select Create.

Step 1.2: Set up an App Registration and External Authentication Method for 1Password Device Trust

Copy and paste the Tenant ID

  1. In Entra ID, find your organization’s Tenant ID. Select Default Directory at the top of the page, then choose Overview in the sidebar.
  2. Copy the Tenant ID.
  3. In Kolide, select your profile in the top-right corner of the page, then select Settings and choose Identity Providers in the sidebar.
  4. Select the Set Up button for Microsoft Entra, then select Set Up Authenticator.
  5. Paste the Tenant ID you copied in step 2 into the field and select Discover OIDC Metadata. The information will populate into Kolide.

Register the application in Entra ID

  1. In Entra ID, select Manage > App registrations in the sidebar.
  2. Select New registration.
  3. Enter the name “1Password Device Trust Auth” and select Web from the “Select a platform” dropdown.
  4. In Kolide, copy the Kolide Auth URI and paste it into the Redirect URI field in Entra ID.
  5. In Entra ID, select Register to create the application.

Add Application Redirect URIs

  1. After you’ve successfully created the application, in Entra ID select Manage > Authentication in the sidebar.
  2. In Kolide, copy the Issuer URI and paste it into the second Redirect URIs field in Entra ID.
  3. Select Add URI again in the Web section of the page in Entra ID.
  4. In Kolide, copy the Authorization URL and paste it into the third Redirect URIs field in Entra ID.
  5. In Entra ID, select Save at the bottom of the page to update the application.

Add an external authentication method in Entra ID

  1. In Entra ID, select Overview in the sidebar.
  2. In the Essentials section, copy the Application (client) ID.
  3. Select Default Directory at the top of the page, then select Security in the sidebar.
  4. Choose Manage in the sidebar, then select Authentication methods.
  5. Select Add external method, then paste the Application (client) ID you copied in step 2 into the App ID field.
  6. Enter a name for the external authentication method, like “1Password Device Trust”. This name cannot be changed later, and it’s the name your team will see when they choose a multi-factor authentication method.
  7. In Kolide, copy the Client ID and paste it into the Client ID field in Entra ID.
  8. In Kolide, copy the Discovery URL and paste it into the Discovery Endpoint field in Entra ID.
  9. In Entra ID, select Request permission. You’ll see a message that says “Admin consent granted” once the permission request goes through.

    You may be asked to sign in again and accept the permissions request.

Add targets

  1. After admin consent is granted, toggle on Enable in the “Enable and target” section.
  2. Select Add Target in the “Enable and target” section, then select Add Target and choose Select Targets in the dropdown.
  3. Find and select the checkbox for the “1Password Device Trust Enabled” group in the list, then choose Select at the bottom of the page.
  4. Select Save at the bottom of the page.
  5. Close the “Saving external authentication method” notification, then select X in the top-right corner of the “Authentication methods | Policies” overlay to close it.
  6. In Kolide, select Update Settings.

Step 2: Configure SAML SSO for 1Password Device Trust

Create a new Enterprise Application in Entra ID

  1. In Entra ID, select Default Directory at the top of the page, then select Manage > Enterprise applications in the sidebar.
  2. Select New application, then select Create your own application.
  3. Enter “1Password Device Trust SSO” for the name of the app.
  4. Select Integrate any other application you don’t find in the gallery (Non-gallery), then select Create.

Assign the 1Password Device Trust Enabled group

  1. In Entra ID, select Manage > Users and groups in the sidebar.
  2. Select Add user/group.
  3. Choose None Selected.
  4. Find and select the checkbox next to the 1Password Device Trust Enabled group, then choose Select at the bottom of the page.
  5. Select Assign at the bottom of the page.

Add single sign-on

  1. In Entra ID, select Manage > Single sign-on in the sidebar.
  2. Select the SAML box to set up single sign-on with SAML.

Add the Entity ID

  1. In Entra ID, select Edit within the Basic SAML Configuration box.
  2. In the Identifier (Entity ID) section, select Add identifier.
  3. In Kolide, choose Set Up Single Sign-On Provider.
  4. In Kolide, copy the Kolide Entity ID, then paste it into the Enter an identifier field in Entra ID.
  5. In the Identifier (Entity ID) section, select Add identifier a second time.
  6. Paste the Kolide Entity ID into the second Enter an identifier field in Entra ID, then change the “app” part of the Kolide Entity ID to “auth”. For example:
    • https://app.kolide.com/
    • https://auth.kolide.com/

Add the Reply URL

  1. In Entra ID, select Add reply URL in the Reply URL (Assertion Consumer Service URL) section.
  2. In Kolide, copy the Kolide ACS URL and paste it into the Enter a reply URL field in Entra ID.
  3. In Entra ID, select Add reply URL in the Reply URL (Assertion Consumer Service URL) section a second time.
  4. Paste the Kolide ACS URL into the second Enter a reply URL field in Entra ID, then change the “app” part of the Kolide ACS URL to “auth”. For example:
    • https://app.kolide.com/
    • https://auth.kolide.com/
  5. In Entra ID, select Save at the top of the page, then select X in the top-right to close the Basic SAML Configuration overlay.
  6. Select No, I’ll test later in the “Test single sign-on with 1Password Device Trust SSO” notification.
  1. In Entra ID, at the bottom of the page in the “Set up 1Password Device Trust SSO” box, copy the Login URL. Paste it into the Provider SSO URL field in Kolide.
  2. In Entra ID, select Download next to Certificate (Base64) in the SAML Certificates box.
  3. Drag and drop the certificate or copy and paste the contents into the Provider X.509 Certificate box in Kolide.
  4. In Kolide, select Save Settings.

Step 3: Configure SCIM provisioning for 1Password Device Trust

Set up provisioning

  1. In Entra ID, select Manage > Provisioning in the sidebar.
  2. Select Get started.
  3. Choose Automatic from the “Provisioning Mode” dropdown.
  4. Select the Admin Credentials dropdown.
  5. In Kolide, choose Set Up User Provisioning.
  6. In Kolide, copy the SCIM Connector Base URL and paste it into the Tenant URL field in the Admin Credentials section of Entra ID.
  7. In Kolide, select Generate Authorization Bearer Token and copy the generated token.
  8. Paste the bearer token into the Secret Token field in the Admin Credentials section of Entra ID.
  9. In Entra ID, select Test Connection, then select Save when the testing is complete.

Map attributes

  1. In Entra ID, select the Mappings dropdown and choose Provision Microsoft Entra ID Users.
  2. Make sure that the “userName” attribute maps to “userPrincipalName” in the Attribute Mappings table.
  3. Select Edit for the email attribute.
  4. Select the Source attribute dropdown and choose userPrincipalName, then select Ok.
  5. Select Edit for the “externalId” attribute.
  6. Select the Source attribute dropdown and choose objectID, then select Ok.
  7. Select Save at the top of the page.
  8. In Kolide, select I’ve Saved the Token, Finish Set Up.
  9. In Entra ID, select X in the top-right corner of the Attribute Mapping overlay to close it, then select X in the top-right corner of the Provisioning overlay to close it as well.

Start provisioning

  1. In Entra ID, select Start Provisioning.
  2. In Kolide, select the vertical ellipsis icon , then choose Make Primary.

Optionally, you can provision on demand. Entra ID runs full provisioning cycles every 40 minutes. To bypass the full cycle:

  1. Select Provision on demand.
  2. Find and select the 1Password Device Trust Enabled group.
  3. Select View all users.
  4. Choose the users you want to provision on demand.

Step 4: Create a Conditional Access policy

  1. In Entra ID, select Default Directory at the top of the page, then select Security > Conditional Access in the sidebar.
  2. Select Create new policy, then enter “Require 1Password Device Trust (Kolide)” for the name, or a name that meets your internal naming conventions.
  3. In the Users section, select 0 users and groups selected, then choose Select users and groups and select the checkbox next to Users and groups.
  4. Find and select your 1Password Device Trust Enabled group and choose Select.
  5. In the Target resources section, select No target resources selected, then open the Select what this policy applies to dropdown and select Resources (formerly ‘Cloud apps’).
  6. Choose Select apps, then select None under Select.
  7. Find and select your 1Password Device Trust SSO app and choose Select.
  8. In the Grant section, select 0 controls selected, then select the checkbox next to Require multifactor authentication and choose Select.
  9. In the Session section, select 0 controls selected, then select the checkbox next to Sign-in frequency. Choose Periodic reauthentication and enter “8” and select the dropdodown and choose Hours. Then choose Select.
  10. In the Enable Policy section, select On.

    This makes sure that team members are prompted with the Kolide Device Trust verification step.

  11. Select Create.

As an optional step, you can choose which apps you’d like to include or exclude. To do this, change the Target resources section. Select All resources (formerly ‘All cloud apps’), or add additional selected apps in the Select section. We recommend you limit your selected apps so you can control which users and apps are using 1Password Device Trust.

The next time a user in your 1Password Device Trust Enabled group signs in to the SSO-controlled resource, Kolide will check the health of their device if they select 1Password Device Trust in their multifactor authentication prompt. If the user passes the device health checks you’ve set up in Kolide, they’ll be able to sign in without taking additional steps. If they fail a check, Kolide will show them how to resolve the issue. After the user has fixed the issues with their device, Kolide will perform an instant recheck so they can sign in.

Step 5: Test Device Trust

To test the Device Trust sign-in process from the perspective of your team:

  1. Sign in as a user that belongs to your 1Password Device Trust Enabled group.
  2. As an optional step, pre-install the Kolide agent to simulate pushing the agent out to your devices. This is optional because the user will be prompted to install the agent if it is not present.
  3. In Kolide, select Downloads in the sidebar.
  4. Download the installer for your operating system and follow the on-screen instructions through to the success message.
  5. In the task bar, you’ll see a Kolide icon that appears for about 60 seconds.
  6. In a new private browser window, go to https://app.kolide.com, or go to any other application included in your new Conditional Access policy to sign in.

    A private browser window makes sure the existing session is not cached.

  7. Sign in with your Microsoft credentials using your username and password without entering a Microsoft Authenticator or other authentication code. Then select I can’t use my Microsoft Authenticator app right now.
  8. Select Approve with 1Password Device Trust to redirect to Kolide and validate that the Kolide agent is installed.

If the agent was pre-installed on the end-user device, it will register the device. If the agent is not installed, the user will be prompted to download and install the agent before the new device can be registered.

To see how Kolide handles failed checks, first set up device health checks for your team. Then:

  1. In Kolide, choose the Devices tab and select your device to see if there are any failing checks.
  2. Select Details on a check that is straightforward to fix, like File Extensions Are Not Visible in Finder.
  3. Select Actions > Edit Check Settings.
  4. In the Remediation Strategy section, select Configure.
  5. Choose Block Immediately and select Save.
  6. In a new private browser window, go to https://app.kolide.com, or any other application included in your new Conditional Access policy.
  7. Sign in with your Microsoft credentials using your username and password. However, don’t enter a Microsoft Authenticator or software authenticator code. Then select I can’t use my Microsoft Authenticator app right now.
  8. Select Approve with 1Password Device Trust to redirect to Kolide. You should be blocked by Kolide based on the check you changed earlier.
  9. Select Fix this issue, which opens a new table that shows you how to fix the issue.
  10. Fix the issue, then return to the Kolide window and select I’ve fixed it. Recheck now.

    Kolide will run a real-time check to validate that the issue has been fixed before completing the sign-in flow.

As part of future testing, continue to add new users to the 1Password Device Trust Enabled group and have users test the sign-in flow.

Get help

If you need to generate a new bearer token

You can generate a new bearer token for SCIM provisioning at any time by following the instructions in Step 3.

If you can’t authenticate with SAML

After configuring the integration, if you get an error that says Could not authenticate you via SAML when you try to authenticate with Device Trust, you’ll need to re-download the SAML certificate in Entra ID that you downloaded in Step 2:

  1. In Kolide, select your profile, then select Settings and choose Identity Providers in the sidebar.
  2. Select Microsoft Entra, then choose Set Up Single Sign On Provider.
  3. In Entra ID, select Manage > Enterprise applications in the sidebar.
  4. Choose your Device Trust application in the list.
  5. Select Manage > Single sign-on.
  6. Choose SAML, then select Download next to Certificate (Base64) in the SAML Certificates box.
  7. Drag and drop the certificate or copy and paste the contents into the Provider X.509 Certificate box in Kolide.
  8. In Kolide, select Save Settings.

If you’d like to upload the Kolide logo to your Enterprise Application

If you’d like to add the Kolide logo to your app:

  1. In Entra ID, select Manage > Enterprise applications in the sidebar.
  2. Choose your Device Trust application in the list.
  3. Select Manage > Properties.
  4. Download the Kolide logo.
  5. Choose Select a file and upload the Kolide logo.
  6. Select Save.
Published: