Microsoft Entra ID

Overview

This guide describes how to configure passwordless login to a Windows workstation joined to Entra ID using virtual smart card technology and the Hideez Authenticator mobile app.

Use Case: The user scans a QR code on the locked workstation screen via the Hideez Authenticator app. They authenticate in the app using biometrics or a PIN. The user selects an account and unlocks the PC — without entering a password.

Thanks to this technology, there's no need to change the domain account password.

Prerequisites

• Administrator account on Hideez Identity Cloud.

• Entra ID account with permission to add certificates.

• Hideez Identity Cloud is integrated with Entra ID.

• The root certificate from Hideez Identity Cloud is uploaded to Entra ID.

• The user exists with the same email address in both Hideez Identity Cloud and Entra ID.

• Hideez Authenticator mobile app is registered in the user's Hideez Identity Cloud profile.

• Hideez Client is installed on the workstation.

• The workstation is approved on Hideez Identity Cloud.

Configuration Steps

1. Connect Entra ID to Hideez Server and Retrieve the Certificate

Follow the instructions for integrating Entra ID with the Hideez Identity Cloud. After a successful connection, download the certificate to be used in Entra ID.

2. Upload the Root Certificate to Entra ID

Create a Public Key Infrastructure: Protection → Security Center → Public Key Infrastructure → Create PKI

Open the created PKI and add a Certificate Authority (CA): Click Add CA → Upload the certificate file from Hideez Identity Cloud. Certificate Revocation List URL — leave this field empty. Save changes.

3. Set Up Certificate-Based Authentication (CBA)

Allow users to sign in without a password using a certificate issued by Hideez Identity Cloud and the Hideez Authenticator app.

1. Create a User Group

• Go to: Users → Groups

• Create a Security Group (e.g., "Smartcard logon").

• Add users who will authenticate via Hideez Authenticator.

1. Enable Certificate-Based Authentication for the Group

• Navigate to: Protection → Authentication Methods → Certificate-Based Authentication

• Click Add Group

• Enable the method and add the created group

1. Configure Authentication Binding

• Select the group and click Configure

• Set up Authentication binding as follows:

  • Click Add rule → Certificate field: PrincipalName

  • Click Add rule → Certificate field: RFC822Name

This ensures a proper match between the certificate and the Entra ID account.

1. Enable Multi-Factor Authentication (Optional) If your tenant’s security policy requires MFA, make sure it’s enabled for this group.

4. Create a Passwordless Login Account

Sign in to the Entra ID account on the workstation. Launch Hideez Client → Go to: Mobile → Passwordless Authorization Scan the QR code with the Hideez Authenticator app. The app will create a passwordless login account. From now on, you can log in without entering a password.

Additional: Offline Mode

If there is no internet connection, you can unlock the workstation using offline codes. These codes are generated in the Hideez Authenticator app, automatically updated after each successful online login, and stored in the TPM module of your PC.

How to use an offline code:

On the lock screen, click “Unlock with offline code.” In the Hideez Authenticator app: Select the relevant account under the “Workstations” section. Tap Show Offline Code. Enter the generated code on the PC to authenticate.