Users API for partners: what changes for SOC-driven identity response?

TL;DR: Security teams can now suspend or restore users in Enterprise Password Manager through SOC workflows using 1Password’s public preview Users API for Partners, with OAuth 2.0-based delegated access and auditability, according to 1Password. The practical shift is not just faster response, but tighter identity action orchestration when alerts and remediation need to stay aligned.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams use automated identity actions in SOC workflows?

A: Use automated identity actions only for well-defined response cases such as high-confidence compromise, credential abuse, or containment workflows that already have clear approval boundaries.

Q: Why do delegated identity APIs matter for incident response?

A: Delegated identity APIs matter because they let security tooling enforce access decisions without handing broad admin rights to every response system.

Q: What breaks when identity suspension is still manual during incidents?

A: Manual suspension breaks containment speed, increases exposure time, and creates inconsistent execution when responders are under pressure.

Practitioner guidance

• Define which alerts can trigger identity suspension Map the specific incident types that may justify automated suspension or restoration, then restrict those actions to validated detection paths with explicit scope boundaries.
• Separate detection authority from execution authority Ensure the system that identifies risk is not the same system that can freely change identity state unless the delegated scope is tightly constrained and reviewable.
• Require immutable audit evidence for every identity action Capture the triggering event, timestamp, actor, and outcome for each suspend or restore action so security review and compliance checks can reconstruct the full sequence.

What's in the full announcement

1Password's full article covers the operational detail this post intentionally leaves for the source:

• Configuration steps for connecting EPM with CrowdStrike, Elastic, Sumo Logic, Tines, Torq, and BlinkOps.
• The Users API for Partners preview workflow for listing users, suspending access, and restoring access.
• How 1Password positions api.1Password.com as the entry point for future partner APIs.
• Implementation notes for automated provisioning, confidential computing, and multi-tenancy.

👉 Read 1Password’s analysis of the Users API for partners and SOC identity response →

Users API for partners: what changes for SOC-driven identity response?

Explore further

View Full Forum →  |  NHI Foundation Course →