Update Unlock with Microsoft Entra ID for Conditional Access policies

Learn how to update your integration with Microsoft Entra ID to support Conditional Access policies.

With 1Password Business, you can set up Unlock with Microsoft Entra ID. If you use Conditional Access policies in Entra ID and you have a public client, migrate to a private client in Entra ID and configure the settings in 1Password for the best experience.

These steps were recorded in March 2026 and may have changed since. Refer to the Microsoft documentation  for the most up-to-date steps.

Step 1: Create a secret for the 1Password SSO application in Entra ID

To get started, sign in to your account on the Microsoft Entra admin center  then follow these steps:

  1. In the sidebar, select App registrations, then select your 1Password SSO app registration.
  2. In the second sidebar under Manage, select Certificates & secrets.
  3. Select New client secret. Give the secret a name, such as “1Password SSO”.
  4. Choose an expiration date. When the secret expires, you’ll need to update it.
  5. Select Add, then select the copy button beside the Value field to copy it. You’ll use this in the next step.

Important

To make sure your team can continue to sign in with Microsoft, create a new secret and update it in your 1Password settings at least a few days before the current secret expires. Set reminders to rotate your secret to make sure you don’t get locked out of your account.

Step 2: Update your Unlock with SSO configuration

Important

The changes you make below won’t be saved until you successfully authenticate with Microsoft. This prevents you from locking yourself out of 1Password.

2.1: Update your 1Password settings

  1. Open a new browser tab or window and sign in to your account on 1Password.com.
  2. Select Policies in the sidebar.
  3. Select Manage policies under Single sign-on.
  4. Select Edit Configuration.
  5. Choose Private Client in the Client Type section.
  6. Paste the secret you created in Entra ID in the Client secret field.
  7. Add the client secret expiration date from Entra ID to the Client secret expiration field. All Owners and Administrators will get reminders before the secret expires.

Then leave this page open and continue to step 2.2.

2.2: Update your Entra ID application

From the app registration page in Entra ID:

  1. In the sidebar under Manage, select Authentication.
  2. To remove the old redirect URIs, select the trash button beside the platforms, then select Delete.
  3. Under “Platform configurations”, select Add a platform > Web.
  4. Copy and paste the Redirect URI from your “Single sign-on” page in your other browser tab.
  5. Leave the “Front-channel logout URL” field blank.
  6. Select ID tokens under “Implicit grant and hybrid flows”.
  7. Select Configure.

2.3: Test the connection

After you’ve configured your settings, go back to the “Single sign-on” policy page and test the connection. You’ll be directed to Microsoft to sign in, then returned to 1Password to sign in. This verifies connectivity between 1Password and Microsoft.

After you test the connection, scroll down, then select Save Configuration.

Learn more


Published: