Hideez Identity Cloud
  • Getting Started Guide
    • Key features of Hideez Identity Cloud
    • Quick Start Guide
      • The Hideez Desktop Client
      • Hideez Authenticator App
    • Tennant manegement
      • User Management
        • Passkey
        • Hideez Authenticator App
        • FIDO Security Key
        • Platform Authentication via Windows Hello
        • Password+OTP
      • Workstation management
  • PC Authorization
    • Passwordless Authorization
      • Active Directory
        • Setting Up the Active Directory Certification Authority
        • Setting Up Workstation Passwordless Logon Settings on Hideez Identity Cloud
      • Microsoft Entra ID
    • Password-based Authorization
  • INTEGRATIONS
    • SAML 2.0
      • GitHub Enterprise
      • Google Workspace
      • Okta
    • OIDC (OpenID Connect)
      • Services that support OIDC and their configuration as Client
    • WS-Federation
      • Login to Exchange Outlook Web Application and Exchange Admin Center via Hideez Identity Cloud
    • Active Directory On-Premises
      • Connect Active Directory to Hideez Identity Cloud
      • ADFS integration
        • Login to Microsoft Exchange OWA Using AD FS and Hideez Identity Cloud as a Third-Party IdP
    • Microsoft Entra ID
      • Synchronization and import employees from Microsoft Entra ID to Hideez Identity Cloud
      • Configuration of Hideez Cloud as an External Authentication Method for Microsoft Entra ID via OIDC
    • Chrome OS
  • USE CASES
    • Passkey Login
    • Hideez Authenticator App login
    • FIDO Security Key login
    • Platform login via Windows Hello
    • Password+TOTP login
  • SUPPORT
    • Get Support
    • FAQ
      • What to do if a user loses their key/device and cannot access the site?
      • Can a custom domain name be created for the tenant instead of the default one?
      • Why am I already logged in Hideez, and no authorization occurs when I access my web application?
      • How long does an open authorization session last?
      • How to log out of the web application?
      • Can I administer multiple tenants simultaneously?
      • Can there be multiple administrators for the Hideez Identity Cloud?
    • Glossary
  • Hideez Documentation Portal
Powered by GitBook
On this page
  • Overview
  • Prerequisites
  • Configuration Steps
  • 1. Connect Entra ID to Hideez Server and Retrieve the Certificate
  • 2. Upload the Root Certificate to Entra ID
  • 3. Set Up Certificate-Based Authentication (CBA)
  • 4. Create a Passwordless Login Account
  • Additional: Offline Mode
  1. PC Authorization
  2. Passwordless Authorization

Microsoft Entra ID

Overview

This guide describes how to configure passwordless login to a Windows workstation joined to Entra ID using virtual smart card technology and the Hideez Authenticator mobile app.

Use Case: The user scans a QR code on the locked workstation screen via the Hideez Authenticator app. They authenticate in the app using biometrics or a PIN. The user selects an account and unlocks the PC — without entering a password.

Thanks to this technology, there's no need to change the domain account password.

Prerequisites

  • Administrator account on Hideez Identity Cloud.

  • Entra ID account with permission to add certificates.

  • Hideez Identity Cloud is integrated with Entra ID.

  • The root certificate from Hideez Identity Cloud is uploaded to Entra ID.

  • The user exists with the same email address in both Hideez Identity Cloud and Entra ID.

  • Hideez Authenticator mobile app is registered in the user's Hideez Identity Cloud profile.

  • Hideez Client is installed on the workstation.

  • The workstation is approved on Hideez Identity Cloud.

Configuration Steps

1. Connect Entra ID to Hideez Server and Retrieve the Certificate

Follow the instructions for integrating Entra ID with the Hideez Identity Cloud. After a successful connection, download the certificate to be used in Entra ID.

2. Upload the Root Certificate to Entra ID

Create a Public Key Infrastructure: Protection → Security Center → Public Key Infrastructure → Create PKI

Open the created PKI and add a Certificate Authority (CA): Click Add CA → Upload the certificate file from Hideez Identity Cloud. Certificate Revocation List URL — leave this field empty. Save changes.

3. Set Up Certificate-Based Authentication (CBA)

Allow users to sign in without a password using a certificate issued by Hideez Identity Cloud and the Hideez Authenticator app.

  1. Create a User Group

  • Go to: Users → Groups

  • Create a Security Group (e.g., "Smartcard logon").

  • Add users who will authenticate via Hideez Authenticator.

  1. Enable Certificate-Based Authentication for the Group

  • Navigate to: Protection → Authentication Methods → Certificate-Based Authentication

  • Click Add Group

  • Enable the method and add the created group

  1. Configure Authentication Binding

  • Select the group and click Configure

  • Set up Authentication binding as follows:

    • Click Add rule → Certificate field: PrincipalName

    • Click Add rule → Certificate field: RFC822Name

This ensures a proper match between the certificate and the Entra ID account.

  1. Enable Multi-Factor Authentication (Optional) If your tenant’s security policy requires MFA, make sure it’s enabled for this group.

4. Create a Passwordless Login Account

Sign in to the Entra ID account on the workstation. Launch Hideez Client → Go to: Mobile → Passwordless Authorization Scan the QR code with the Hideez Authenticator app. The app will create a passwordless login account. From now on, you can log in without entering a password.

Additional: Offline Mode

If there is no internet connection, you can unlock the workstation using offline codes. These codes are generated in the Hideez Authenticator app, automatically updated after each successful online login, and stored in the TPM module of your PC.

How to use an offline code:

On the lock screen, click “Unlock with offline code.” In the Hideez Authenticator app: Select the relevant account under the “Workstations” section. Tap Show Offline Code. Enter the generated code on the PC to authenticate.

PreviousSetting Up Workstation Passwordless Logon Settings on Hideez Identity CloudNextPassword-based Authorization

Last updated 11 days ago

Log in to Microsoft Entra Admin Center:

https://entra.microsoft.com