Teams and Businesses

Update Unlock with Microsoft Entra ID for Conditional Access policies

Learn how to update your integration with Microsoft Entra ID to support Conditional Access policies.

With 1Password Business, you can set up Unlock with Microsoft Entra ID (previously Azure AD). If you use Conditional Access policies in Entra ID and you set up a public client, migrate to a private client in Entra ID and configure the settings in 1Password for the best experience.

These steps were recorded in February 2024 and may have changed since. Refer to the Microsoft documentation  for the most up-to-date steps.

Step 1: Create a secret for the 1Password SSO application in Entra ID

To get started, sign in to your account on the Microsoft Azure portal  then follow these steps:

  1. Search for and select Microsoft Entra ID.
  2. Under Manage, select App registrations, and click your 1Password SSO app registration.
  3. Choose Certificates & secrets in the sidebar.
  4. Choose New client secret. Give the secret a name, such as “1Password SSO”.
  5. Click Add, then click beside the Value field to copy it. You’ll use this in the next step.


Secrets in Entra ID have an expiration date. To make sure your team can continue to sign in with Microsoft, you’ll need to update this secret in 1Password’s settings before it expires.

Step 2: Update your Unlock with SSO configuration


The changes you make below won’t be saved until you successfully authenticate with Microsoft. This prevents you from locking yourself out of 1Password.

2.1: Update your 1Password settings

  1. Open a new browser tab or window and sign in to your account on
  2. Click Policies in the sidebar.
  3. Click Manage under Configure Identity Provider.
  4. Click Edit Configuration.
  5. Choose Private Client in the Client Type section.
  6. Paste the secret you created in Entra ID in the Application Secret field.

2.2: Update your Entra ID application

From the app registration page in Entra ID:

  1. In the sidebar under Manage, click Authentication.
  2. To remove the old redirect URIs, click beside the platforms, then choose Delete.
  3. Under “Platform configurations”, select Add a platform then choose Web.
  4. Copy and paste the Redirect URI from your Configure Identity Provider page in your other browser tab.
  5. Leave the “Front-channel logout URL” field blank.
  6. Select ID tokens under “Implicit grant and hybrid flows”.
  7. Click Configure.

2.3: Test the connection

Once you’ve configured your settings, go back to the Configure Identity Provider page and test the connection. You’ll be directed to Microsoft to sign in, then redirected to 1Password to sign in. This verifies connectivity between 1Password and Microsoft.

After you test the connection, scroll down and click Save Configuration.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.