Teams and Businesses

Connect Azure Active Directory to the 1Password SCIM bridge

Learn how to set up and use the 1Password SCIM bridge to integrate with Azure Active Directory.

With 1Password Business, you can automate many common administrative tasks using the System for Cross-domain Identity Management (SCIM) bridge. It’s SCIM 2.0 compatible and works with Azure Active Directory, so you can:

  • Create users and groups, including automated account confirmation
  • Grant and revoke access to groups
  • Suspend and delete users

Before you can configure Azure Active Directory, you’ll need to set up and deploy the SCIM bridge. To use the SCIM bridge with Azure Active Directory, the administrator managing the SCIM application requires a premium subscription.

To get started, sign in to your account on the Microsoft Azure portal  and follow these steps.

Add the 1Password SCIM bridge as a custom application

To add the 1Password SCIM bridge as a custom application:

  1. Click Azure Active Directory, then select “Enterprise applications”  in the sidebar.
  2. Click “New application”, then click “Create your own application”.
  3. Enter “1Password Business” for the display name and select “Integrate any other application you don’t find in the gallery”. Then click Create.

You’ll see the details of the application you just created.

Configure the application

On the 1Password Business application details page:

  1. Click Provisioning in the sidebar, then click Get Started.

  2. Set Provisioning Mode to Automatic.

  3. Enter your Tenant URL and Secret Token.

    Tenant URL: the TLS-secured API gateway, proxy, or load balancer where you’ve configured the 1Password SCIM bridge. For example:

    Secret Token: your OAuth bearer token

  4. Click Test Connection, then click Save.

  5. Set Provisioning Status to On and click Save.

Get help if you don’t have your bearer token.

The Provisioning page with Provisioning Mode set to Automatic, the Tenant URL and Secret Token, and Provisioning Status set to On


To sync only specific users and groups, set Scope to “Sync only assigned users and groups” and click Save. To manage assigned users and groups, click “Users and groups”.

To restart synchronization, turn on “Clear current state and restart synchronization” and click Save.

To turn off synchronization, set Provisioning Status to Off and click Save.

You can also map Azure Active Directory user provisioning attributes to 1Password.

Learn more in the Azure Active Directory Documentation.  

Next steps

If you have existing groups in 1Password that you want to sync with Azure Active Directory, add them to the groups managed by provisioning. Click View Details in the setup assistant or click Integrations in the sidebar and choose Manage. Click Manage in the Managed Groups section, then select the groups to sync.

If you’ve previously used the SCIM bridge, make sure to select any groups that were already synced with Azure Active Directory. This will prevent problems syncing with your identity provider, including duplicate groups.

Appendix: Attribute mappings

The 1Password Business application supports several user attribute-mappings:

mailThe user's email address.
nameThe user's name or display name.
preferredLanguageThe default language for 1Password.

Learn how to customize user provisioning attribute-mappings in Azure Active Directory. 

Still need help?

If this article didn't answer your question, contact 1Password Support.