Protect what matters – even after you're gone. Make a plan for your digital legacy today.
What’s new in 1Password Enterprise Password Manager (Q4 2025)
Hey everyone! 👋 We’ve been working closely with customers across industries this past year to understand where they need more flexibility, clarity, and control. That feedback shaped a new round of improvements that help teams deploy faster, manage more consistently, and stay secure without slowing anyone down. Here’s a quick rundown of what’s new: Security without friction New App Unlock presets give admins more flexibility in how people unlock 1Password. Organizations can align unlock behavior with their existing device policies, like allowing 1Password to unlock when the device unlocks while still enforcing auto-lock where needed. Teams can decide which presets are available, override them where required, or let users choose the option that fits their workflow. Vaults remain protected by device-level encryption – this simply changes when 1Password unlocks, not how it’s secured. Get teams set up in less time A couple of updates make it easier for new users to get started confidently: The new Browser Extension policy helps guide new users to install the 1Password browser extension during setup. Guided Setup now introduces people to the essentials of using 1Password in their environment and adapts to each organization’s configuration. Together, these reduce confusion during onboarding, minimize IT overhead, and help people start saving and filling credentials right away. New policies provide more control As organizations scale, admins often need fine-grained control over how credentials are saved and submitted. New policy options now allow admins to configure: Autosave: Choose which item types (Logins, Credit Cards, Addresses, 2FA) are saved automatically. Autosubmit: Turn off automatic form submission. Sign-in Attempts: Define how many failed login attempts are allowed before an IP address is temporarily locked for that user, helping safeguard against brute-force attacks. These updates help standardize behavior across the organization while still giving teams the right amount of flexibility. Set up your 1Password instance to reflect how your organization operates Multi-tenancy introduces a new account model designed for scale that brings more clarity and consistency to large or distributed organizations. Linked Accounts let you connect a parent account to any number of child accounts within the same data region, organized by geography, department, or business unit. Policy Templates make governance easier by letting the parent account create reusable templates, decide what child accounts can override, and apply standards instantly. It’s a flexible way to maintain consistent security while letting teams operate independently when they need to. Coming in 2026 A couple of updates already in motion: Automated Provisioning hosted by 1Password connects directly to Okta and Entra ID, eliminating the need for self-hosted SCIM bridges so teams can deploy faster with less infrastructure to maintain. A redesigned Audit Log that brings all user and admin activity into a unified, human-readable view, making investigations and compliance reviews much easier. These improvements are all steps toward making enterprise deployment smoother, governance clearer, and day-to-day work less of a lift for admins and teams alike. If you’d like a closer look (including screenshots and examples) you can find the full breakdown in our latest blog post.
Sharing administration responsibilities
I work with an MSP and there are a few of us who are administering services for our clients. We're trying to figure out how to share 1Password. When you initially sign in you have to register your device. One of my colleagues says he last accessed this last year and now doesn't remember which computer it was from. When we try to sign in now we get: Sign into 1Password on the Firefox session that you have used before. Go to My Profile. Under Pending Sign-ins, look for Microsoft Edge. Select View. Allow the transfer request. Enter the verification code in the next step. I'm waiting on the owner of the account to reset our account and get us back in. In the meantime, what's the best way to manage this? Our client has the Enterprise Edition enabling SSO support. For us as an MSP, how can a few of us administer this a few times a year, to on-board people or reset access for others? Do we each need our own account?
Help with 1Password SSO Unlock Across Multiple Desktops
Hi, I’m looking for some assistance with 1Password in a small office environment (around 45–50 desktops) that runs Hybrid AD. We’ve enabled Unlock with SSO, and it works fine on a user’s first workstation. However, when the same user signs in on another workstation, 1Password prompts them to transfer their encryption key. The challenge is that our users often move between desktops throughout the day depending on their work schedule. This constant key transfer prompt is disruptive. Is there a way to disable this key transfer requirement or a recommended best practice to allow seamless use of SSO across multiple desktops? Thanks in advance for any guidance!
Central Control for Autofill Exclusions in 1Password Business
It would be very helpful if administrators in 1Password Business could set a policy to disable autofill for specific domains or subdomains. For internal portals like Topdesk we don’t need login items, and autofill only gets in the way. As an admin, I’d like to be able to centrally push this setting to a group, so users don’t have to configure it themselves. This would remove frustration for our team and make management much easier.
BloodHound OpenGraph
Exploring a 1Password instance to map user access to vaults SpecterOps BloodHound is a tool for mapping identities and attack paths for Microsoft products, but has added OpenGraph to do the same for other products , with one of the first examples being 1Password. What is our Bloodhound users' experience with this new tool? How does this compare to using the native tools? I have no affiliation with SpecterOps or experience with their products, but am interested in identity and access discovery in an information security context.
Permit/block access to vault by IP?
I have a situation where we want to allow access to a specific vault when they're using a given source IP. When coming from that same IP, we would want to block access to all other vaults. When using other IPs, we would want to grant full access. It doesn't appear to be doable now, but I would like to put in a feature request.
Employee Vaults - Access?
Hello all, our business environment requires that all passwords should be visible and reclaimable in the event that the employee leaves. This is fine with a shared vault, as other users have access as they may share them, or for redundancy. However we have a particular team where a shared vault isn't suitable, as each user has their own access to certain data. So in this case the Employee vault would be perfect. Except that I'm almost certain that these vaults can't be accessed by Overwatch roles, like Administrators or Owners, even though I've seen language on various docs from 1password that users with the right permissions can access them. Problem is I can't find these permissions to enable them to be visible when needed. What do you suggest is the best solution for this? Accounts are locked to business email addresses but reclaiming an account just because someone is on holiday and something important is stored in the Employee Vault sounds excessive...
