# Setting Up Passwordless Workstation Login with Entra ID ## Overview This guide describes how to configure passwordless login to a Windows workstation joined to Entra ID using virtual smart card technology and the Hideez Authenticator mobile app. ## **Use Case:** * The user scans a QR code on the locked workstation screen via the Hideez Authenticator app. * They authenticate in the app using biometrics or a PIN. * The user selects an account and unlocks the PC — without entering a password. * Thanks to this technology, there's no need to change the domain account password. ## Prerequisites * Administrator account on Hideez Enterprise Server. * Entra ID account with permission to add certificates. * Hideez Enterprise Server is integrated with Entra ID. * The root certificate from Hideez Enterprise Server is uploaded to Entra ID. * The user exists with the same email address in both Hideez Enterprise Server and Entra ID. * Hideez Authenticator mobile app is registered in the user's Hideez Enterprise Server profile. * Hideez Client is installed on the workstation. * The workstation is approved on Hideez Enterprise Server. ## Configuration Steps ### **1. Connect Entra ID to Hideez Server and Retrieve the Certificate** Follow the instructions for integrating Entra ID with the Hideez Enterprise Server.\ After a successful connection, download the certificate to be used in Entra ID.

### **2. Upload the Root Certificate to Entra ID** 1. Log in to Microsoft Entra Admin Center: [https://entra.microsoft.com](https://entra.microsoft.com/) 2. Type "Security" in the search field.

3. Create a Public Key Infrastructure:\ `Security → Public Key Infrastructure → Create PKI`

4. Open the created PKI and add a Certificate Authority (CA):

* Click **Add CA** → **Upload the certificate file from Hideez Enterprise Server.**

* **Certificate Revocation List URL** — leave this field empty. 5. Save changes. {% hint style="info" %} More details: *How to:*More details: [How to: Configure Certificate Authorities (Microsoft)](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication#configure-certificate-authorities-by-using-the-microsoft-entra-admin-center) {% endhint %} ### **3. Set Up Certificate-Based Authentication (CBA)** Allow users to sign in without a password using a certificate issued by Hideez Enterprise Server and the Hideez Authenticator app. 1. **Create a User Group** * Go to: `Users → Groups` * Create a **Security Group** (e.g., "Smartcard logon"). * Add users who will authenticate via Hideez Authenticator. 2. **Enable Certificate-Based Authentication for the Group** * Navigate to: `Protection → Authentication Methods → Certificate-Based Authentication`

* Click **Add Group**

* Enable the method and add the created group 3. **Configure Authentication Binding** * Select the group and click **Configure**

* Set up **Authentication binding** as follows:

4. Set up **Username Binding** as follows: * Click **Add rule** → Certificate field: `PrincipalName` * Click **Add rule** → Certificate field: `RFC822Name`

This ensures a proper match between the certificate and the Entra ID account. 5. **Enable Multi-Factor Authentication (Optional)** If your tenant’s security policy requires MFA, make sure it’s enabled for this group. {% hint style="info" %} More details: *How to:* [*Configure Certificate Authorities (Microsoft)*](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication#step-2-enable-cba-on-the-tenant) {% endhint %} ### 4. Create a Passwordless Login Account 1. Sign in to the Entra ID account on the workstation. 2. Launch **Hideez Client** → Go to: `Mobile → Passwordless Authorization` 3. Scan the QR code with the **Hideez Authenticator** app. 4. The app will create a passwordless login account. From now on, you can log in without entering a password. ### Additional: Offline Mode If there is no internet connection, you can unlock the workstation using offline codes. These codes are generated in the Hideez Authenticator app, automatically updated after each successful online login, and stored in the TPM module of your PC. **How to use an offline code:** 1. On the lock screen, click “Unlock with offline code.” 2. In the Hideez Authenticator app: * Select the relevant account under the “Workstations” section. * Tap **Show Offline Code**.

3. Enter the generated code on the PC to authenticate.