To enforce MFA with Bitwarden SSO and Azure AD integration, you configure a Conditional Access policy in Azure AD (now Microsoft Entra ID) that requires MFA for the Bitwarden enterprise application, then enable the "Require SSO Authentication" policy inside Bitwarden's organization settings so users cannot bypass SSO — and the MFA requirement attached to it — by logging in with a master password alone.
Prerequisites / What You'll Need
- Bitwarden Teams or Enterprise plan — SSO is not available on the free or Families plan. Teams costs $4.00/user/month billed annually (minimum 1 user). Enterprise costs $6.00/user/month billed annually (minimum 1 user). The "Require SSO Authentication" policy requires Enterprise.
- Microsoft Entra ID (Azure AD) tenant — P1 license minimum for Conditional Access policies ($6.00/user/month as of 2026, included in Microsoft 365 Business Premium at $22.00/user/month).
- Bitwarden organization admin or owner role
- Entra ID Global Administrator or Conditional Access Administrator role
- Bitwarden desktop or browser extension, version 2024.x or later (the SAML/OIDC SSO login flow requires this)
- A test user account that is a member of the Bitwarden organization and synced to Entra ID
- An MFA method registered for that test user in Entra (Microsoft Authenticator app, FIDO2 hardware key, or TOTP)
Step 1: Register Bitwarden as an Enterprise Application in Entra ID
Log into the Microsoft Entra admin center as a Global Administrator. Navigate to Identity → Applications → Enterprise applications → New application. Search for "Bitwarden" in the gallery — Microsoft maintains a pre-configured Bitwarden entry that pre-populates the SAML attribute mappings.
Click Bitwarden, name the application (e.g., Bitwarden-Prod), and click Create.
Once created, go to Single sign-on → SAML. You will need two values from Bitwarden before you can complete this screen: the SP Entity ID and the Assertion Consumer Service (ACS) URL. Get those in Step 2.
Common gotcha: If you don't see Bitwarden in the gallery, you're likely on a free Entra tier. The gallery application is available from Entra ID Free, but Conditional Access — needed later — requires P1.
Step 2: Grab SSO Identifiers from Bitwarden
In the Bitwarden web vault, go to Admin Console → Settings → Single Sign-On. Toggle SSO on. Set SSO Identifier to a memorable slug (e.g., mycompany). Select SAML 2.0 as the type.
Copy the SP Entity ID (format: https://sso.bitwarden.com/saml2/) and the ACS URL (format: https://sso.bitwarden.com/saml2/).
Paste these into the Entra SAML configuration screen:
- Identifier (Entity ID): the SP Entity ID from Bitwarden
- Reply URL (ACS URL): the ACS URL from Bitwarden
Save the basic SAML configuration.
Expected output: Entra generates a Federation Metadata XML download link and displays the Login URL and Azure AD Identifier. You need both for Step 3.
Step 3: Complete SAML Configuration in Bitwarden
Back in the Bitwarden SSO settings, paste the Entra values:
- IdP Entity ID: the Azure AD Identifier from Entra (format:
https://sts.windows.net/)/ - IdP Single Sign-On Service URL: the Login URL from Entra
- IdP X.509 Public Certificate: open the Federation Metadata XML, find the
value, and paste it here
Under SAML Attributes & Claims, the Bitwarden gallery app in Entra pre-maps user.userprincipalname to the NameID claim. If your users' Bitwarden email addresses match their UPN in Entra, no additional claim mapping is required.
Save the Bitwarden SSO configuration.
Common gotcha: Certificate copy-paste errors are the #1 failure point. Paste only the base64 content — no -----BEGIN CERTIFICATE----- headers — unless Bitwarden's UI specifically prompts for PEM format (it does not as of version 2024.x).
Step 4: Enable "Require SSO Authentication" Policy in Bitwarden
This step is what actually locks the door. Without it, a user can still log in with email + master password and skip Entra — and skip MFA — entirely.
In Bitwarden Admin Console → Policies, enable Require Single Sign-On Authentication. This policy forces all non-owner organization members to authenticate through SSO. Owners are exempt by design (break-glass access).
Also enable Single Organization if you want to prevent users from being members of other Bitwarden organizations, which could create a bypass path.
Expected output: After saving, members who try to log in via master password will see: "This organization requires you to log in with SSO."
Step 5: Create a Conditional Access Policy in Entra ID
Navigate to Entra ID → Protection → Conditional Access → New policy. Name it Require MFA for Bitwarden.
- Users: include the group that maps to your Bitwarden organization members (or All Users if appropriate; exclude your break-glass admin accounts).
- Target resources → Cloud apps: select the
Bitwarden-Prodenterprise application you created in Step 1. - Conditions: optionally restrict to compliant devices or specific locations if your policy requires it.
- Grant: select Grant access → check Require multifactor authentication.
Set the policy state to On (not Report-only — Report-only does not enforce MFA, it only logs).
Supported MFA methods enforced through this policy include: Microsoft Authenticator push notification, TOTP via any authenticator app, FIDO2/WebAuthn security keys (YubiKey 5 series, Google Titan, etc.), and Windows Hello for Business. SMS one-time codes are supported but Microsoft and Bitwarden's own security guidance both flag SMS as the weakest option due to SIM-swap risk — I'd avoid it unless it's the only option for a specific user population.
Common gotcha: Don't forget to exclude your emergency access / break-glass Entra accounts from this policy. Locking those out defeats their purpose.
Step 6: Assign Users and Test
Assign the Bitwarden enterprise application to your Entra users or groups under Enterprise applications → Bitwarden-Prod → Users and groups.
Then open a private/incognito browser window, go to https://vault.bitwarden.com, click Log in with SSO, enter your organization's SSO identifier, and proceed. You should be redirected to the Microsoft Entra login page. After entering credentials, Entra will prompt for MFA before issuing the SAML assertion back to Bitwarden.
Verification — You Should See These Confirmations
- Bitwarden vault access only after MFA: The vault unlocks only after a successful Entra MFA challenge. No master-password-only login is possible for organization members.
- Entra Sign-in logs confirm MFA: In Entra → Monitoring → Sign-in logs, filter by the Bitwarden application. Each successful login should show MFA result: MFA requirement satisfied by claim in the token or MFA successfully completed.
- Conditional Access policy shows as Applied: In the same sign-in log entry, open the Conditional Access tab. The
Require MFA for Bitwardenpolicy should appear with status Success. - Bitwarden admin audit log: In Admin Console → Reporting → Events, confirm SSO login events are appearing (event type:
1000— User logged in).
Recommended Tools to Complement This Setup
If you're evaluating Bitwarden alternatives with tighter native Azure AD / Entra integration, or if you want an enterprise password manager with a more polished admin console, two products worth knowing are Keeper Security and 1Password.
Keeper Security is headquartered in Chicago, IL (US jurisdiction, SOC 2 Type II audited by Schellman, 2024). It supports SAML 2.0 and OIDC SSO natively on its Business plan at $4.00/user/month billed annually (5-seat minimum) and Enterprise at $6.00/user/month billed annually (minimum varies by contract). MFA options include TOTP, WebAuthn/FIDO2, Duo Security push, RSA SecurID, and hardware keys. Encryption is AES-256 with PBKDF2-SHA256. The admin console includes a dedicated "Enforce 2FA" policy toggle that mirrors what we're building manually with Bitwarden + Entra, making it slightly faster to configure for teams without an Entra P1 license. Platforms: Windows, macOS, Linux, iOS, Android, all major browsers. Try Keeper Security — enforces MFA at the application layer without requiring an Entra P1 license.
1Password is headquartered in Toronto, Canada (PIPEDA jurisdiction, SOC 2 Type II audited by Prescient Assurance, 2024). Business plan: $7.99/user/month billed annually, 1-seat minimum. Enterprise: $14.99/user/month billed annually. SSO via SAML 2.0 is available on Business and above. 1Password's "Unlock with SSO" feature, launched broadly in 2023, uses a device-local secret key architecture so that even if your IdP (Entra) is compromised, the vault remains protected by AES-256-GCM encryption with a separate Secret Key. MFA methods: TOTP, WebAuthn/FIDO2, Duo. Platforms: Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Safari, Edge. The 1Password admin console enforces SSO-only login more granularly than Bitwarden's single toggle. Our enterprise password manager review covers both in depth. Try 1Password — stronger vault-level encryption architecture even after SSO authentication.
Troubleshooting
Error: "SAML authentication error: Unable to validate the token"
Cause: The X.509 certificate in Bitwarden doesn't match the signing certificate Entra is currently using. Entra rotates signing certificates automatically every 3 years, but a manual rollover can trigger this mid-cycle.
Fix: In Entra → Enterprise applications → Bitwarden-Prod → Single sign-on, download the current Certificate (Base64). Open Bitwarden SSO settings and replace the IdP certificate with the new value. Save and retry.
Error: "This organization requires you to log in with SSO" — but SSO login also fails
Cause: The user's email in Bitwarden doesn't match their UPN in Entra. The SAML NameID claim sends the UPN; Bitwarden matches it against the member's registered email.
Fix: Either update the user's email in Bitwarden to match their Entra UPN, or modify the SAML claim in Entra to emit user.mail instead of user.userprincipalname if their mail attribute is the correct identifier.
Error: "MFA requirement was not satisfied" — user is redirected back to Bitwarden without vault access
Cause: The Conditional Access policy is set to Report-only, or the user account is excluded from the policy scope.
Fix: In Entra → Conditional Access → your policy, confirm state is On. In the policy's Users section, confirm the affected user is not in an exclusion group.
Error: Bitwarden shows "SSO login failed" with no additional detail
Cause: The ACS URL or Entity ID was entered incorrectly in Entra (trailing slash, wrong org ID).
Fix: In Bitwarden Admin Console → SSO, copy the ACS URL and Entity ID again. In Entra → Basic SAML Configuration, paste them fresh — don't edit in place, as invisible whitespace can survive edits.
Error: Owner account is locked out after enabling "Require SSO Authentication"
Cause: Owners are exempt from the policy, but if the owner account was set up without a master password recovery method and their Entra account is inaccessible, login may still fail.
Fix: Bitwarden owners always retain master-password login. Confirm the owner is logging in at vault.bitwarden.com with email + master password (not via SSO identifier). If the master password is lost, Bitwarden's zero-knowledge architecture means account recovery requires the Account Recovery Administration policy to have been enabled beforehand.
FAQ
Does Bitwarden SSO with Azure AD enforce MFA at the Bitwarden layer or the Entra layer?
MFA is enforced at the Entra ID (Azure AD) layer, not inside Bitwarden itself. When a user initiates SSO login, Bitwarden redirects to Entra for authentication. Entra's Conditional Access policy checks whether MFA has been completed before issuing the SAML assertion. Bitwarden never sees the MFA challenge — it only receives a signed SAML token after Entra is satisfied. This means your MFA method options are whatever Entra supports: Microsoft Authenticator push, TOTP, FIDO2/WebAuthn hardware keys, and Windows Hello. Bitwarden's own built-in 2FA (TOTP or Duo) is separate and applies only to master-password logins, which are blocked for org members by the Require SSO policy.
Can users bypass MFA by logging into Bitwarden with their master password instead of SSO?
Not if you have enabled the "Require Single Sign-On Authentication" policy in Bitwarden's Admin Console. That policy blocks organization members from using master-password login entirely — they must go through the SSO flow, which runs through Entra and its Conditional Access MFA requirement. Organization owners are the one exception: they retain master-password access as a break-glass measure. This is a documented design choice by Bitwarden, not a bug. For this reason, your organization owner account should have an extremely strong master password and its own MFA configured separately.
What Entra ID license do I need to enforce MFA for Bitwarden specifically?
You need at least Microsoft Entra ID P1, which costs $6.00/user/month billed monthly (or is included in Microsoft 365 Business Premium at $22.00/user/month billed annually). Conditional Access — the feature that lets you target MFA enforcement at a specific application like Bitwarden — requires P1 or higher. The free Entra ID tier only supports Security Defaults, which enforces MFA for all apps globally and cannot be scoped to a single application. If you're on free Entra and need per-app M