How to Setup SSO with 1Password and Microsoft Azure

Step 1: Add the 1Password Business application to Microsoft Azure

To get started, sign in to your account on the Microsoft Azure portal   then follow these steps:

1. Search for and select Azure Active Directory.
2. Under Manage, select App registrations then click “New registration”.
3. Enter a name for your application.
4. Select your preferred supported account types.
5. Leave the Redirect URI field blank. You’ll fill it out later.
6. Click Register to create the application.

You’ll see the details of the application you just created. Keep this open for the next step.

Step 2: Configure Unlock with SSO

You must successfully test the connection by signing in to both Microsoft and 1Password before you can save an identity provider configuration.

Changes won’t be saved if you can’t successfully authenticate with Microsoft. This prevents you from locking yourself out of 1Password.

2.1: Set up Unlock with SSO

1. Open a new browser tab or window and sign in to your account on 1Password.com.
2. Click Security in the sidebar.
3. Click Unlock 1Password with Identity Provider.
4. Follow the onscreen instructions to set up Unlock with SSO.
   • Find your Application ID on the overview page of the application you created in step 1.
   • Find your OpenID configuration document URL by navigating to the endpoints tab of the overview page and copying the OpenID Connect metadata document.

2.2: Configure the Azure application

From the app overview page you’re taken to after completing step 1:

For 1Password.com

1. In the sidebar under Manage, click Authentication.
2. Under “Platform configurations”, select “Add a platform”.
3. Click “Single-page application”.
4. Copy and paste the first URI from your Unlock 1Password with Identity Provider setup page.
5. Leave the “Front-channel logout URL” field blank.
6. Select “ID tokens” under “Implicit grant and hybrid flows”.
7. Click Configure.

For the desktop and mobile apps

1. In the sidebar under Manage, click Authentication.
2. Under “Platform configurations”, select “Add a platform”.
3. Click “Mobile and desktop applications”.
4. Copy and paste the second URI from the Unlock 1Password with Identity Provider setup page into the “Custom redirect URIs” field.
5. Leave other redirect URI options unchecked.
6. Click Configure.

2.3: Configure API permissions

1. Click “API permissions” in the sidebar.
2. Click “Add a permission”.
3. Click “Microsoft Graph” then “Delegated permissions”.
4. Under “OpenId permission”, select ‘email’, ‘openid’, and ‘profile’.
5. Click “Add permissions”.

Optional: You can click “Grant admin consent” to give tenant-wide consent for the 1Password application. Otherwise each user will grant consent the first time they use Unlock 1Password with Microsoft. 1Password asks only for read access to the permissions listed above.

IMPORTANT

For a user to sign in to 1Password with Microsoft, the email listed in Microsoft Azure Active Directory must match the email associated with their 1Password account. Note that their User Principal Name can be different.

2.4: Configure required claims

1Password requires the sub, name, and email claims from Azure Active Directory. By default, Azure provides a subject claim, which maps the name and email user properties automatically. 1Password will attempt to match 1Password users to Azure Active Directory users with the sub property. If this fails, it falls back to the email property.

If you use automated provisioning with Azure, and some of your users have an email property that differs from their User Principal Name (UPN), you must create an optional upn claim for the OIDC ID Token:

1. Select the app registration you created earlier.
2. Click “Token configuration” in the sidebar.
3. Click “Add optional claim”.
4. Choose ID.
5. Scroll down and check UPN, then click Add.

Learn more about providing optional claims in Azure AD. 

2.5: Test the connection

Once you’ve configured your settings, go back to the Unlock 1Password with Identity Provider page and test the connection. You’ll be directed to Microsoft to sign in, then redirected to 1Password to sign in. This verifies connectivity between 1Password and Microsoft.

Step 3: Specify which team members will unlock 1Password with Microsoft and set a grace period

After configuring Unlock with SSO, you’ll be redirected to the settings page.

Prerequisites

Before you begin, create groups in 1Password for team members who plan to Unlock with Microsoft:

1. Create a custom group.Give the group a descriptive name, like “Microsoft testers”, for clarity.
2. Add team members to the group.If you plan to invite additional team members to test Unlock with Microsoft at a later date, create a new custom group for each additional set of testers.

3.1: Choose who will unlock with Microsoft

IMPORTANT

Users in the owners group can’t unlock with Microsoft and will continue to sign in to 1Password using their account password and Secret Key. This helps safeguard them from being locked out in the event that they can’t access their trusted devices and no one can recover them.

Learn more about implementing a recovery plan for your team.

By default, “People unlocking 1Password with an identity provider” is set to “No one”. To specify which team members will unlock 1Password with Microsoft, select one of the options:

“No one”

To turn off Unlock with Microsoft, select “No one”.

“Selected groups” (recommended)

Only the team members in groups you choose will sign in with Microsoft. Learn how to use custom groups in 1Password Business.

1. Choose “Selected groups” under “People unlocking 1Password with an identity provider”, then click Select Groups.
2. Select the groups you want to unlock 1Password with Microsoft and click Update Groups.You’ll see the number of people in the groups you selected.

“Everyone except guests”

All team members, except owners and guests, will sign in with Microsoft. All existing users will be prompted to switch to Unlock with Microsoft, and all new users will use their Microsoft username and password when joining 1Password. Guests and owners will sign in with an account password and Secret Key.

“Everyone” (not recommended)

Guests and all team members, except owners, will sign in with Microsoft. All existing users will be prompted to switch to Unlock with Microsoft, and all new users will use their Microsoft username and password when joining 1Password.

3.2: Set a grace period

Team members who already have 1Password accounts will need to switch to unlocking with Microsoft. Specify the number of days before team members must switch to unlocking with Microsoft, and how often they should be reminded to migrate. By default, the grace period is set to 5 days.

The grace period begins when an administrator adds a group after they choose the “Selected groups” option or when an administrator configures Unlock with Microsoft for everyone on the team. You’ll see the grace period listed next to each group configured to unlock with Microsoft.

If the grace period has already expired when a user first attempts to sign in, they’ll be asked to contact their 1Password administrator to have their account manually recovered.

If you plan to have more team members unlock with Microsoft after initial configuration, we recommend that you create a new custom group with its own grace period. This will avoid newly assigned team members needing to go through manual account recovery.

IMPORTANT

If a team member doesn’t migrate to Unlock with Microsoft before the end of the grace period, they’ll be signed out of all their devices and must contact their 1Password administrator to manually recover their account.

Optional: Add 1Password to the Microsoft My Apps page

To have the app appear on the My Apps page, follow these steps:

1. Sign in to the Microsoft Azure portal.  
2. Click Azure Active Directory, then select “Enterprise applications” in the sidebar.
3. Select the app you created in step 1.
4. Click Properties in the sidebar.
5. Toggle “Visible to users?” to Yes and click Save.

Manage settings

To manage your settings, sign in to your account on 1Password.com, then click Security in the sidebar and choose Unlock 1Password with Identity Provider.

Configuration

To change your configuration with Microsoft Azure, click Edit Configuration, then follow the onscreen instructions to set up Unlock with SSO.

You can only save an identity provider configuration after you’ve successfully tested the connection. Changes won’t be saved if you can’t successfully authenticate with Microsoft Azure. This prevents locking yourself out of 1Password.

People assignments and biometrics

Click Edit at the bottom of the settings page to change which users are assigned to unlock 1Password with Microsoft.

• To specify which team members will unlock 1Password with Microsoft, select “No one”, “Selected groups”, “Everyone except guests”, or “Everyone”.”Selected groups” is recommended. Learn how to use custom groups in 1Password Business. To turn off Unlock with Microsoft, select “No one”.
• Specify the number of days before team members must switch to unlocking with Microsoft.The default grace period is 5 days. If a team member doesn’t migrate to Unlock with Microsoft before the end of the grace period, they must contact their administrator to recover their account.
• To allow team members to unlock with Touch ID, Face ID, Windows Hello, and other biometrics, select “Allow people to unlock 1Password using biometrics”. Specify the number of days or weeks before they’ll be asked to sign in to Microsoft again.When biometric unlock is turned on, your team members can access 1Password while offline, until the time period specified. Vault access will be online-only after the elapsed period.

Click Review Changes to verify your choices, then click Save.

Ref: Configure Unlock 1Password with Microsoft Azure