Microsoft Entra ID

Overview

This guide describes how to configure passwordless login to a Windows workstation joined to Entra ID using virtual smart card technology and the Hideez Authenticator mobile app.

Use Case:

  • The user scans a QR code on the locked workstation screen via the Hideez Authenticator app.

  • They authenticate in the app using biometrics or a PIN.

  • The user selects an account and unlocks the PC — without entering a password.

Prerequisites

  • Administrator account on Hideez Identity Cloud.

  • Entra ID account with permission to add certificates.

  • The user exists with the same email address in both Hideez Identity Cloud and Entra ID.

  • Hideez Authenticator mobile app is registered in the user's Hideez Identity Cloud profile.

  • Hideez Client is installed on the workstation.

  • The workstation is approved on Hideez Identity Cloud.

Configuration Steps

1. Connect Entra ID to Hideez Server and Retrieve the Certificate

Follow the instructions for integrating Entra ID with the Hideez Identity Cloud. After a successful connection, download the certificate to be used in Entra ID.

2. Upload the Root Certificate to Entra ID

  • Log in to Microsoft Entra Admin Center: https://entra.microsoft.com

  • Create a Public Key Infrastructure: Protection → Security Center → Public Key Infrastructure → Create PKI

  • Open the created PKI and add a Certificate Authority (CA): Click Add CA → Upload the certificate file from Hideez Identity Cloud.

  • "Certificate Revocation List URL" — leave this field empty.

  • Save changes.

3. Set Up Certificate-Based Authentication (CBA)

Allow users to sign in without a password using a certificate issued by Hideez Identity Cloud and the Hideez Authenticator app.

  1. Create a User Group

  • Go to: Users → Groups

  • Create a Security Group (e.g., "Smartcard logon").

  • Add users who will authenticate via Hideez Authenticator.

  1. Enable Certificate-Based Authentication for the Group

  • Navigate to: Protection → Authentication Methods → Certificate-Based Authentication

  • Click Add Group

  • Enable the method and add the created group

  1. Configure Authentication Binding

  • Select the group and click Configure

  • Set up Authentication binding as follows:

    • Click Add ruleCertificate field: "PrincipalName"

    • Click Add rule → Certificate field: "RFC822Name"

This ensures a proper match between the certificate and the Entra ID account.

  1. Enable Multi-Factor Authentication (Optional) If your tenant’s security policy requires MFA, make sure it’s enabled for this group.

4. Create a Passwordless Login Account

  • Sign in to the workstation using your Entra ID account and its password.

  • Launch Hideez Client and Go to: Mobile → Passwordless Authorization

  • Scan the QR code with the Hideez Authenticator app.

  • The app will create a passwordless login account.

Congratulations! You can now log in without entering your password.

Additional: Offline Mode

If there is no internet connection, you can unlock the workstation using offline codes. These codes are generated in the Hideez Authenticator app, automatically updated after each successful online login, and stored in the TPM module of your PC.

How to use an offline code:

  • On the lock screen, click Unlock with offline code.

  • In the Hideez Authenticator app:

    • Select the relevant account under the Workstations section.

    • Tap Show Offline Code.

    • Enter the generated code on the PC to authenticate.

Last updated