Teams and business

Connect Microsoft Entra ID to 1Password SCIM Bridge

Learn how to set up and use 1Password SCIM Bridge to integrate with Microsoft Entra ID.

the Microsoft Entra ID logo

With 1Password Business, you can integrate 1Password with Microsoft Entra ID (previously Azure AD) to automate many common administrative tasks:

Provision users

  • Create users: Assigned users and groups will be provisioned to 1Password.
  • Update user attributes: Changing user attributes in your directory will change the mapped attributes in 1Password.
  • Deactivate users: Disabling a user or removing their assignment in Entra ID will suspend the user in 1Password.

Manage groups

  • Assign groups: Assign groups from your directory to sync them to 1Password or manage existing 1Password groups in Entra ID.

To get started, sign in to your account on the Microsoft Azure portal  and follow these steps.

Before you begin

Before you can integrate 1Password with Entra ID, you’ll need to:

Step 1: Add 1Password Business as a custom application

To add 1Password Business as a custom application in Entra ID:

  1. Click Microsoft Entra ID, then select Enterprise applications  in the sidebar.
  2. Click New application, then click Create your own application.
  3. Enter “1Password Business” for the name of the app and select Integrate any other application you don’t find in the gallery (Non-gallery). Then click Create.

You’ll see the details of the application you just created. Continue to the next section to configure it.

Step 2: Configure the application

On the 1Password Business application details page:

  1. Click Users and groups in the sidebar, then add the users and groups you want to provision to 1Password.

  2. Click Provisioning in the sidebar, then click Get Started.

  3. Set Provisioning Mode to Automatic.

  4. Enter your Tenant URL and Secret Token.

    Tenant URL: the URL of your SCIM bridge (not your 1Password account sign-in address). For example: https://scim.example.com

    If you don’t know your URL, make sure you’ve set up and deployed the SCIM bridge.

    Secret Token: the bearer token for your SCIM bridge

    Learn what to do if you don’t have your bearer token.

  5. Click Test Connection, then click Save and click X (Close) in the top right.

  6. Click Edit Provisioning.

  7. If you want to use custom attribute mappings, click Mappings and refer to the default mappings below.

  8. Set Provisioning Status to On and click Save.

The Provisioning page with Provisioning Mode set to Automatic, the Tenant URL and Secret Token, and Provisioning Status set to On

Tip

Microsoft Entra ID has a 40-minute sync cycle so changes you make will occur after this cycle completes.

To sync user and group changes to 1Password immediately, use on-demand provisioning.

Next steps

When you turn on provisioning, existing 1Password users will be linked to Entra ID users if their email address matches. If their email address is different, they’ll be invited to 1Password again, so make sure any affected team members update their email address before you turn on provisioning.

If you have existing groups in 1Password that you want to sync with Entra ID, add them to the groups managed by provisioning:

  1. Sign in to your account on 1Password.com.
  2. Choose Integrations in the sidebar and choose Automated User Provisioning.
  3. Choose Manage in the Managed Groups section, then select the groups to sync.

If you've previously used the SCIM bridge, make sure to select any groups that were already synced with Entra ID. This will prevent problems syncing with your identity provider, including duplicate groups.

Get help

If users and groups aren’t being provisioned, make sure provisioning is turned on in your 1Password account:

  1. Sign in to your account on 1Password.com.
  2. Choose Integrations in the sidebar.
  3. Choose Automated User Provisioning.
  4. Make sure Provisioning users & groups is turned on.

Appendix: Attribute mappings

The following are the default user attribute mappings for the 1Password Business application in Entra ID:

1Password attributeEntra ID attributeDescription
userNameuserPrincipalName (UPN)The team member’s username and email address.
displayNamedisplayNameTheir full name.
preferredLanguagepreferredLanguageTheir default language for 1Password.
IsSoftDeletedIndicates if a user is suspended. Leave the default value.

Learn how to customize user provisioning attribute-mappings in Entra ID. 

Published: