Teams and business

Configure 1Password Device Trust and Microsoft Entra ID

Learn how to implement 1Password Device Trust (Kolide) with Microsoft Entra ID to secure every device on your team.

With 1Password Device Trust (Kolide) and Microsoft Entra ID , you can make sure every device is known, secure, and compliant before it can access company applications, and empower your team to remediate their own device health issues with step-by-step instructions.

With this integration, you can:

  • Import your Microsoft Entra users and groups.
  • Protect the Kolide admin dashboard with Entra authentication.
  • Allow your users to sign in to Device Trust-protected apps with their Google credentials.

Before you begin

Before you can set up Kolide and Entra ID, you’ll need:

The Kolide and Entra ID implementation doesn’t fully support:

  • Guest-user logins
  • Cross-tenant users (requires that multi-factor authentication claims for cross-tenant users are trusted)
  • External authentication methods for Azure Government Cloud (limited to certain Azure Gov instances)

Important

Known limitation

Depending on your Entra configuration, end users may see multiple authentication options when signing in, which could allow them to bypass Kolide by selecting another method of multi-factor authentication.

These steps were recorded in February 2024 and may have changed since. Refer to the Microsoft Entra ID documentation  for the most up-to-date steps.

Step 1: Configure the external authentication method

Step 1.1: Create a 1Password Device Trust enabled group in Entra ID for testing

To test the implementation and make sure it works the way you want it to, first create a 1Password Extended Access Management-enabled group with test users.

  1. Open two browser windows side-by-side. In one window, sign in to Kolide.
  2. In the second window, sign in to Entra ID .
  3. In Entra ID, select Groups in the sidebar, then select New group.
  4. Fill out the fields, including:
    • Group type: Select Security.
    • Group name: Enter the name “1Password Device Trust Enabled”.
    • Group description: Enter a description of the group. For example: “1Password Extended Access Management Device Trust Enabled Users”.
    • Membership type: Choose Assigned.
    • Owners: Choose your group owners.
    • Members: Choose your test users.
  5. Select Create.

Step 1.2: Set up an App Registration and External Authentication Method for 1Password Device Trust

Copy and paste the Tenant ID

  1. In Entra ID, find your organization’s Tenant ID. Select Microsoft Entra ID Directory at the top of the page, then choose Overview in the sidebar.
  2. Copy the Tenant ID.
  3. In Kolide, select your profile in the top-right corner of the page, then select Settings and choose Identity Providers in the sidebar.
  4. Select the Set Up button for Microsoft Entra, then select Set Up Authenticator.
  5. Paste the Tenant ID you copied in step 2 into the field and select Discover OIDC Metadata. The information will populate into Kolide.

Register the application in Entra ID

  1. In Entra ID, select Manage > App registrations in the sidebar.
  2. Select New registration.
  3. Enter the name “1Password Device Trust Auth” and select Web from the “Select a platform” dropdown.
  4. In Kolide, copy the Kolide Auth URI and paste it into the Redirect URI field in Entra ID.
  5. In Entra ID, select Register to create the application.

Add Application Redirect URIs

  1. After you’ve successfully created the application, in Entra ID select Manage > Authentication in the sidebar.
  2. In Kolide, copy the Issuer URI and paste it into the second Redirect URIs field in Entra ID.
  3. Select Add URI again in the Web section of the page in Entra ID.
  4. In Kolide, copy the Authorization URL and paste it into the third Redirect URIs field in Entra ID.
  5. In Entra ID, select Save at the bottom of the page to update the application.

Add an external authentication method in Entra ID

  1. In Entra ID, select Overview in the sidebar.
  2. In the Essentials section, copy the Application (client) ID.
  3. Select Microsoft Entra ID Directory at the top of the page, then select Security in the sidebar.
  4. Choose Manage in the sidebar, then select Authentication methods.
  5. Select Add external method, then paste the Application (client) ID you copied in step 2 into the App ID field.
  6. Enter a name for the external authentication method, like “1Password Device Trust”. This name cannot be changed later, and it’s the name your team will see when they choose a multi-factor authentication method.
  7. In Kolide, copy the Client ID and paste it into the Client ID field in Entra ID.
  8. In Kolide, copy the Discovery URL and paste it into the Discovery Endpoint field in Entra ID.
  9. In Entra ID, select Request permission. You’ll see a message that says “Admin consent granted” once the permission request goes through.

    You may be asked to sign in again and accept the permissions request.

Add targets

  1. After admin consent is granted, toggle on Enable in the “Enable and target” section.
  2. Select Add Target in the “Enable and target” section, then select Add Target and choose Select Targets in the dropdown.
  3. Find and select the checkbox for the “1Password Device Trust Enabled” group in the list, then choose Select at the bottom of the page.
  4. Select Save at the bottom of the page.
  5. Close the “Saving external authentication method” notification, then select X in the top-right corner of the “Authentication methods | Policies” overlay to close it.
  6. In Kolide, select Update Settings.

Step 2: Configure SAML SSO for 1Password Device Trust

Create a new Enterprise Application in Entra ID

  1. In Entra ID, select Microsoft Entra ID Directory at the top of the page, then select Manage > Enterprise applications in the sidebar.
  2. Select New application, then select Create your own application.
  3. Enter “1Password Device Trust SSO” for the name of the app.
  4. Select Integrate any other application you don’t find in the gallery (Non-gallery), then select Create.

Assign the 1Password Device Trust Enabled group

  1. In Entra ID, select Manage > Users and groups in the sidebar.
  2. Select Add user/group.
  3. Choose None Selected.
  4. Find and select the checkbox next to the 1Password Device Trust Enabled group, then choose Select at the bottom of the page.
  5. Select Assign at the bottom of the page.

Add single sign-on

  1. In Entra ID, select Manage > Single sign-on in the sidebar.
  2. Select the SAML box to set up single sign-on with SAML.

Add the Entity ID

  1. In Entra ID, select Edit within the Basic SAML Configuration box.
  2. In the Identifier (Entity ID) section, select Add identifier.
  3. In Kolide, choose Set Up Single Sign-On Provider.
  4. In Kolide, copy the Kolide Entity ID, then paste it into the Enter an identifier field in Entra ID.
  5. In the Identifier (Entity ID) section, select Add identifier a second time.
  6. Paste the Kolide Entity ID into the second Enter an identifier field in Entra ID, then change the “app” part of the Kolide Entity ID to “auth”. For example:
    • https://app.kolide.com/
    • https://auth.kolide.com/

Add the Reply URL

  1. In Entra ID, select Add reply URL in the Reply URL (Assertion Consumer Service URL) section.
  2. In Kolide, copy the Kolide ACS URL and paste it into the Enter a reply URL field in Entra ID.
  3. In Entra ID, select Add reply URL in the Reply URL (Assertion Consumer Service URL) section a second time.
  4. Paste the Kolide ACS URL into the second Enter a reply URL field in Entra ID, then change the “app” part of the Kolide ACS URL to “auth”. For example:
    • https://app.kolide.com/
    • https://auth.kolide.com/
  5. In Entra ID, select Save at the top of the page, then select X in the top-right to close the Basic SAML Configuration overlay.
  6. Select No, I’ll test later in the “Test single sign-on with 1Password Device Trust SSO” notification.
  1. In Entra ID, at the bottom of the page in the “Set up 1Password Device Trust SSO” box, copy the Login URL. Paste it into the Provider SSO URL field in Kolide.
  2. In Entra ID, select Download next to Certificate (Base64) in the SAML Certificates box.
  3. Drag and drop the certificate or copy and paste the contents into the Provider X.509 Certificate box in Kolide.
  4. In Kolide, select Save Settings.

Step 3: Configure SCIM provisioning for 1Password Device Trust

Set up provisioning

  1. In Entra ID, choose Provisioning in the sidebar, then select Connect your application.
  2. Enter your tenant URL (the URL of your SCIM connection with Kolide): https://app.kolide.com/scim/v2
  3. In Kolide, choose Set Up User Provisioning.
  4. In Kolide, select Generate Authorization Bearer Token and copy the generated token.
  5. Paste the bearer token into the Secret Token field in Entra ID.
    • We recommend saving the bearer token in your 1Password account. If you ever lose your token, you can regenerate it from your SCIM Provisioning page in the Identity Providers section in Kolide.
  6. Select Test Connection, then select Create and wait a moment for the connection to be created.
  7. In Kolide, select I’ve Saved the Token, Finish Set Up.

Map attributes

  1. In Entra ID, select Attribute mapping in the sidebar.
  2. Select Provision Microsoft Entra ID Users.
  3. Find the emails[type eq "work"].value attribute in the customappsso column and choose Edit.
  4. Change the source attribute from mail to userPrincipalName.

    If you choose a different Entra ID source attribute, make sure to update the customappsso username attribute to use the same source attribute.

  5. Find the objectID attribute in the customappsso column and choose Edit.
  6. Change the source attribute from mailNickname to externalID.
  7. Select Ok.
  8. Select Save then choose X in the top right.
  9. Select X in the top-right corner of the Attribute Mapping overlay to close it, then select X in the top-right corner of the Provisioning overlay to close it as well.

Start provisioning

  1. In Entra ID, select Start Provisioning.
  2. In Kolide, select the vertical ellipsis icon , then choose Make Primary.

Optionally, you can provision on demand. Entra ID runs full provisioning cycles every 40 minutes. To bypass the full cycle:

  1. Select Provision on demand.
  2. Find and select the 1Password Device Trust Enabled group.
  3. Select View all users.
  4. Choose the users you want to provision on demand.

Step 4: Create a Conditional Access policy

  1. In Entra ID, select Microsoft Entra ID Directory at the top of the page, then select Security > Conditional Access in the sidebar.
  2. Select Create new policy, then enter “Require 1Password Device Trust (Kolide)” for the name, or a name that meets your internal naming conventions.
  3. In the Users section, select 0 users and groups selected, then choose Select users and groups and select the checkbox next to Users and groups.
  4. Find and select your 1Password Device Trust Enabled group and choose Select.
  5. In the Target resources section, select No target resources selected, then open the Select what this policy applies to dropdown and select Resources (formerly ‘Cloud apps’).
  6. Choose Select apps, then select None under Select.
  7. Find and select your 1Password Device Trust SSO app and choose Select.
  8. In the Grant section, select 0 controls selected, then select the checkbox next to Require multifactor authentication and choose Select.
  9. In the Session section, select 0 controls selected, then select the checkbox next to Sign-in frequency. Choose Periodic reauthentication and enter “8” and select the dropddown and choose Hours. Then choose Select.
  10. In the Enable Policy section, select On.

    This makes sure that team members are prompted with the Kolide Device Trust verification step.

  11. Select Create.

As an optional step, you can choose which apps you’d like to include or exclude. To do this, change the Target resources section. Select All resources (formerly ‘All cloud apps’), or add additional selected apps in the Select section. We recommend you limit your selected apps so you can control which users and apps are using 1Password Device Trust.

The next time a user in your 1Password Device Trust Enabled group signs in to the SSO-controlled resource, Kolide will check the health of their device if they select 1Password Device Trust in their multifactor authentication prompt. If the user passes the device health checks you’ve set up in Kolide, they’ll be able to sign in without taking additional steps. If they fail a check, Kolide will show them how to resolve the issue. After the user has fixed the issues with their device, Kolide will perform an instant recheck so they can sign in.

Step 5: Test Device Trust Sign-in

To test the Device Trust sign-in process from the perspective of your team:

  1. Sign in as a user that belongs to your 1Password Device Trust Enabled group.
  2. As an optional step, pre-install the Kolide agent to simulate pushing the agent out to your devices. This is optional because the user will be prompted to install the agent if it is not present.
  3. In Kolide, select Downloads in the sidebar.
  4. Download the installer for your operating system and follow the on-screen instructions through to the success message.
  5. In the task bar, you’ll see a Kolide icon that appears for about 60 seconds.
  6. In a new private browser window, go to https://app.kolide.com, or go to any other application included in your new Conditional Access policy to sign in.

    A private browser window makes sure the existing session is not cached.

  7. Sign in with your Microsoft credentials using your username and password without entering a Microsoft Authenticator or other authentication code. Then select I can’t use my Microsoft Authenticator app right now.
  8. Select Approve with 1Password Device Trust to redirect to Kolide and validate that the Kolide agent is installed.

If the agent was pre-installed on the end-user device, it will register the device. If the agent is not installed, the user will be prompted to download and install the agent before the new device can be registered.

To see how Kolide handles failed checks, first set up device health checks for your team. Then:

  1. In Kolide, choose the Devices tab and select your device to see if there are any failing checks.
  2. Select Details on a check that is straightforward to fix, like File Extensions Are Not Visible in Finder.
  3. Select Actions > Edit Check Settings.
  4. In the Remediation Strategy section, select Configure.
  5. Choose Block Immediately and select Save.
  6. In a new private browser window, go to https://app.kolide.com, or any other application included in your new Conditional Access policy.
  7. Sign in with your Microsoft credentials using your username and password. However, don’t enter a Microsoft Authenticator or software authenticator code. Then select I can’t use my Microsoft Authenticator app right now.
  8. Select Approve with 1Password Device Trust to redirect to Kolide. You should be blocked by Kolide based on the check you changed earlier.
  9. Select Fix this issue, which opens a new table that shows you how to fix the issue.
  10. Fix the issue, then return to the Kolide window and select I’ve fixed it. Recheck now.

    Kolide will run a real-time check to validate that the issue has been fixed before completing the sign-in flow.

If you want to test the sign-in process with additional users, add them to the 1Password Device Trust Enabled group. When you’re ready to roll out Device Trust more widely, add everyone you want to use Device Trust to the group. Anyone who belongs to the group can use the new sign-in flow.

Advanced setup: Make sure users can’t bypass Device Trust

To make sure users can’t bypass Device Trust, exclude the 1Password Device Trust Enabled group from registration campaigns and other authentication methods.

Some users with Microsoft Administrator roles will still be able to register additional multi-factor authentication methods.

Exclude your 1Password Device Trust Enabled group from registration campaigns

  1. In Entra ID, select Security in the sidebar.
  2. Choose Manage in the sidebar, then select Authentication methods.
  3. Choose Manage > Registration campaign in the sidebar.
  4. Select Edit next to Settings.
  5. Select Add users and groups.
  6. Find and select your 1Password Device Trust Enabled group and choose Select at the bottom of the page.
  7. Select Save next to settings.

Exclude your 1Password Device Trust Enabled group from other authentication methods

Update your Authentication Method Policies to exclude the Device Trust group from other authentication methods. For example, to make sure the 1Password Device Trust Enabled group can’t use Microsoft Authenticator:

  1. In Entra ID, select Policies in the sidebar.
  2. Select Microsoft Authenticator in the Authentication Method Policies section.
  3. Select Exclude, then select Add groups.
  4. Find and select your 1Password Device Trust Enabled group and choose Select at the bottom of the page.
  5. Select I Acknowledge, then select Save.
  6. Repeat this process with any other authentication methods you don’t want the group to use.

If you see an error after excluding your 1Password Device Trust Enabled group from Microsoft Authenticator, follow these steps to remove the other authentication methods or remove the methods for SSPR.

Remove other existing authentication methods

You can remove other existing authentication methods within Entra ID, with PowerShell, or by sharing instructions with your users on how they can remove the authentication methods themselves.

To remove a user’s existing additional authentication methods in Entra ID:

  1. In Entra ID, select Monitoring > User registration details in the sidebar while still in the Authentication methods section.
  2. Find and select the name of the user you want to remove authentication methods from.
  3. Select Authentication methods in the sidebar.
  4. For the Default sign-in method, select the edit button next to the Microsoft Authenticator notification.
  5. From the Select default sign in method dropdown, choose SMS (primary mobile), then select Save at the bottom of the page.
  6. Select the vertical ellipses for Microsoft Authenticator, then select Delete.
  7. Select Yes for the “Are you sure you want to delete this Microsoft Authenticator?” notification.
  8. Delete the “Phone number” authentication method and any additional authentication methods, like the “Software OATH token”.

After you delete the other authentication methods, the default sign-in method is “No default”, which makes Kolide the default method.

To remove users' existing additional authentication methods with PowerShell:

  1. Get a list of the users in your 1Password Device Trust Enabled group.
  2. Parse the list of users with PowerShell and remove the additional authentication methods.

To let users remove existing additional authentication methods themselves, share the following instructions with them:

  1. Go to the My Account page for Microsoft: https://myaccount.microsoft.com/
    • If you’re already logged in to a Microsoft website, select your avatar in the top-right corner and choose View account.
  2. Select Security info in the sidebar.
  3. Select Delete next to the authentication methods other than the password method.

If you use self-service password resets

If your tenant uses self-service password resets (SSPR), you’ll need to change the number of factors for SSPR, or at a minimum remove the verified phone number and authenticator app methods for SSPR. This leaves only email address and security questions as trusted password reset methods.

To remove the verified phone number and authenticator app methods:

  1. In Entra ID, select Microsoft Entra ID Directory at the top of the page, then select Manage > Password reset in the sidebar.
  2. Select Manage > Authentication methods in the sidebar.
  3. Uncheck Mobile app notification, Mobile app code, Mobile phone, and Office phone.
  4. Select Save.

Remove administrative self-service password reset

  1. Sign in to your account on the Microsoft Azure portal.

  2. Select the Cloud Shell icon in the top-right corner and make sure you’re using PowerShell.

    • If you don’t have access to the Azure Cloud Shell, you’ll need to install the Microsoft AD PowerShell Module on your local system. Then connect to Entra using the Connect-AzAccount command.

  3. Run the following command to read and modify authorization policies:

     connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"

  4. Follow the instructions output by the command to authorize your PowerShell for Microsoft Graph and grant consent.

  5. Run the following command to update the authorization policy in Microsoft Graph and remove the ability for users to use the SSPR:

     Update-MgPolicyAuthorizationPolicy -AllowedToUseSspr:$false

The change takes about 60 minutes to take effect. You can verify when it’s taken effect on the Password Reset | Administrator Policy page in the Entra portal.

Get help

If you need to generate a new bearer token

You can generate a new bearer token for SCIM provisioning at any time by following the instructions in Step 3.

If you can’t authenticate with SAML

After configuring the integration, if you get an error that says Could not authenticate you via SAML when you try to authenticate with Device Trust, you’ll need to re-download the SAML certificate in Entra ID that you downloaded in Step 2:

  1. In Kolide, select your profile, then select Settings and choose Identity Providers in the sidebar.
  2. Select Microsoft Entra, then choose Set Up Single Sign On Provider.
  3. In Entra ID, select Manage > Enterprise applications in the sidebar.
  4. Choose your Device Trust application in the list.
  5. Select Manage > Single sign-on.
  6. Choose SAML, then select Download next to Certificate (Base64) in the SAML Certificates box.
  7. Drag and drop the certificate or copy and paste the contents into the Provider X.509 Certificate box in Kolide.
  8. In Kolide, select Save Settings.

If you’d like to upload the Kolide logo to your Enterprise Application

If you’d like to add the Kolide logo to your app:

  1. In Entra ID, select Manage > Enterprise applications in the sidebar.
  2. Choose your Device Trust application in the list.
  3. Select Manage > Properties.
  4. Download the Kolide logo.
  5. Choose Select a file and upload the Kolide logo.
  6. Select Save.
Published: