1Security

Installation

Choose the deployment model that fits your security and compliance needs.

1Security offers flexible deployment options to meet your organization's compliance, data residency, and operational requirements. You can choose to run 1Security as a fully managed SaaS (Cloud), deploy it within your own Azure environment (BYOC), or host it fully On-Premise.

Prerequisites

Regardless of your chosen deployment method, you will need:

  • A Microsoft 365 tenant
  • Global Administrator access (for the initial OAuth consent)
  • Modern browser (Chrome, Edge, Firefox, Safari - last two major versions)

Deployment Models

Recommended for most teams.

1Security manages the infrastructure, updates, and maintenance. You simply log in and connect your tenant.

  • Zero infrastructure to manage.
  • Continuous updates with no downtime.
  • Setup takes less than 5 minutes.
  • Hosted in secure, SOC 2 Type II compliant environments.

Getting Started

Create your account

Go to 1security.ai and sign up using your Microsoft work account. We use OAuth - your password never leaves Microsoft.

Grant tenant permissions

During the consent dialog, an admin in your tenant approves the permissions 1Security needs to read your Microsoft 365 metadata. We never request write access to user data without an explicit per-action prompt.

Run your first scan

Once connected, the platform automatically queues an initial scan. You'll see results stream in over the next few minutes.

Bring Your Own Cloud is ideal for organizations with strict data residency requirements that want to keep all processed data inside their own Azure tenant, while still using our managed Docker images.

Architecture Overview

Docker images are provided pre-built from 1Security's Azure Container Registry. You will receive access credentials to pull images directly to your environment.

Required Azure Services:

  • Azure App Service (Linux): 2 instances (API + Client)
  • Azure App Service Plan: Separate compute plans for API and Client recommended.
  • Azure Database for PostgreSQL: Flexible Server recommended over Single Server.
  • Azure Key Vault (Optional): Secure storage for secrets and certificates.
  • Azure Storage Account (Optional): File share for certificate mounting.

Resource Specifications & Estimated Costs

Tenant scans are CPU and memory-intensive. Below are recommended specs based on active users (costs exclude discounts like Reserved Instances, which can reduce prices by ~60%):

Tenant SizeAPI ServerClient AppPostgreSQLEstimated Monthly Cost
Small (< 350 users)P2V3 (2 vCPU, 8GB RAM)P1V2 (1 vCPU, 3.5GB RAM)Standard_D2s_v3 (2 vCores, 8GB RAM)~$355 / month
Medium (350-1,000 users)P3V3 (4 vCPU, 16GB RAM)P2V3 (2 vCPU, 8GB RAM)Standard_D2s_v3 (2 vCores, 8GB RAM)~$580 / month
Large (1,000+ users)P3V3 (4 vCPU, 16GB RAM)P2V3 (2 vCPU, 8GB RAM)Standard_D4s_v3 (4 vCores, 16GB RAM)~$840+ / month

Required Permissions

To set up the BYOC deployment, the administrator needs:

  • Azure Subscription: Contributor role (or Resource Group Owner).
  • Entra ID: Application Admin or Cloud Application Admin (to create App Registrations and grant consent).
  • Specific Resources: App Service Contributor, Key Vault Admin, PostgreSQL Contributor.

Contact our support team to receive your ACR credentials and the complete BYOC deployment manifests.

Fully self-hosted deployment for organizations with air-gapped environments or ultimate infrastructure control needs.

  • Total control of data location and network boundaries.
  • Air-gapped installation supported.

Minimum Hardware Requirements

  • Compute: 16 vCPU
  • Memory: 64 GB RAM
  • Storage: 500 GB SSD (NVMe recommended)

Contact our enterprise sales team to plan an on-premise deployment.

Granting consent requires Global Administrator privileges. If you're not a global admin, ask one to complete the consent flow - you can still own day-to-day operations afterwards.

Verifying the install

After the consent flow and environment setup finish, you should land on the dashboard with at least the following populated:

  • Tenant card showing your tenant ID and domain
  • Scan status showing "Running" or "Queued"
  • Users count matching what you see in the Microsoft 365 admin centre (give it a minute to sync)

If any of these are missing, see connecting tenants for troubleshooting.

Welcome

Guides, references, and how-tos for the 1Security platform.

Your First Scan

Understand what happens after you connect the tenant - and how to read the results.

On this page

PrerequisitesDeployment ModelsGetting StartedCreate your accountGrant tenant permissionsRun your first scanArchitecture OverviewResource Specifications & Estimated CostsRequired PermissionsMinimum Hardware RequirementsVerifying the install