Setting Up Passwordless Workstation Login with Entra ID
Overview
This guide describes how to configure passwordless login to a Windows workstation joined to Entra ID using virtual smart card technology and the Hideez Authenticator mobile app.
Use Case:
The user scans a QR code on the locked workstation screen via the Hideez Authenticator app.
They authenticate in the app using biometrics or a PIN.
The user selects an account and unlocks the PC — without entering a password.
Thanks to this technology, there's no need to change the domain account password.
Prerequisites
Administrator account on Hideez Enterprise Server.
Entra ID account with permission to add certificates.
Hideez Enterprise Server is integrated with Entra ID.
The root certificate from Hideez Enterprise Server is uploaded to Entra ID.
The user exists with the same email address in both Hideez Enterprise Server and Entra ID.
Hideez Authenticator mobile app is registered in the user's Hideez Enterprise Server profile.
Hideez Client is installed on the workstation.
The workstation is approved on Hideez Enterprise Server.
Configuration Steps
1. Connect Entra ID to Hideez Server and Retrieve the Certificate
Follow the instructions for integrating Entra ID with the Hideez Enterprise Server. After a successful connection, download the certificate to be used in Entra ID.
2. Upload the Root Certificate to Entra ID
Create a Public Key Infrastructure:
Protection → Security Center → Public Key Infrastructure → Create PKI
Open the created PKI and add a Certificate Authority (CA):
Click Add CA → Upload the certificate file from Hideez Enterprise Server.
Certificate Revocation List URL — leave this field empty.
Save changes.
More details: [How to: Configure Certificate Authorities (Microsoft)]
3. Set Up Certificate-Based Authentication (CBA)
Allow users to sign in without a password using a certificate issued by Hideez Enterprise Server and the Hideez Authenticator app.
Create a User Group
Go to:
Users → Groups
Create a Security Group (e.g., "Smartcard logon").
Add users who will authenticate via Hideez Authenticator.
Enable Certificate-Based Authentication for the Group
Navigate to:
Protection → Authentication Methods → Certificate-Based Authentication
Click Add Group
Enable the method and add the created group
Configure Authentication Binding
Select the group and click Configure
Set up Authentication binding as follows:
Click Add rule → Certificate field:
PrincipalName
Click Add rule → Certificate field:
RFC822Name
This ensures a proper match between the certificate and the Entra ID account.
Enable Multi-Factor Authentication (Optional) If your tenant’s security policy requires MFA, make sure it’s enabled for this group.
More details: [How to: Enable Certificate-Based Authentication (Microsoft)]
4. Create a Passwordless Login Account
Sign in to the Entra ID account on the workstation.
Launch Hideez Client → Go to:
Mobile → Passwordless Authorization
Scan the QR code with the Hideez Authenticator app.
The app will create a passwordless login account.
From now on, you can log in without entering a password.
Additional: Offline Mode
If there is no internet connection, you can unlock the workstation using offline codes. These codes are generated in the Hideez Authenticator app, automatically updated after each successful online login, and stored in the TPM module of your PC.
How to use an offline code:
On the lock screen, click “Unlock with offline code.”
In the Hideez Authenticator app:
Select the relevant account under the “Workstations” section.
Tap Show Offline Code.
Enter the generated code on the PC to authenticate.
Last updated
Was this helpful?