Hideez Authentication Service (EN)
  • Hideez Authentication Service for Enterprises
    • Release notes
    • Key features of the Hideez Authentication Service in 5 minutes
  • Quick Start Guides
    • Hideez Authenticator Mobile app guide
    • Hideez Key guide
    • Passkey guide
    • FIDO Security Key guide
      • Activation FIDO key and setting PIN code
    • Quick Start Guide for subscriptions
      • Hideez Security Key
      • Hideez Authenticator App
      • Passkeys
    • Guide for Hideez Enterprise Server on Cloud
      • Passkeys
      • Mobile app
      • Hideez Key
  • Use cases
    • Hideez Authenticator Mobile App
      • Passwordless PC login
      • Password-based PC login
      • SSO login to Webservises (FIDO2) via mobile app
        • Using Hideez Authenticator as your passwordless authentication method for SSO
      • Using Hideez Authenticator as your two-factor authentication method for SSO
      • OTP generation by Hideez Authenticator App for 2FA
      • RDP login by Hideez Authenticator App
      • Remote PC lock
    • Hideez Key
      • Proximity Lock
      • Proximity Unlock
        • Unlock PC by Hideez Dongle Touch (Tap-and-Go)
      • Proximity settings (guide for admin)
      • Automatic RDP Launch and Logon
      • Password manager and OTP generator
      • OTP manager for two-factor authentication
    • FIDO Security Key
      • SSO login to Web Servises via Hardware Key (FIDO2)
      • Passwordless PC Login to Entra ID (Azure AD).
      • Using Hideez Key as U2F security key for your two-factor authentication
      • Other vendors' hardware keys
    • Passkey
      • SSO login to Web Services (FIDO2) via Passkey and Hideez Server as Identity Provider
    • Emergency blocking of all computers
    • Employee's account disabling
  • Hideez Enterprise Server
    • Hideez Enterprise Server
    • Glossary
    • Hideez Server Architecture
    • Deployment
      • Database installation
        • MySQL on Windows
        • MySQL on Linux
        • Microsoft SQL Server on Windows
        • Microsoft SQL Server on Linux
      • HES deployment
        • Windows
        • Linux
        • Docker
        • Deployment without Internet access
        • Troubleshooting
      • HES update
        • Windows
        • Linux
        • Docker
      • Publishing on-premises HES for remote users
    • Administration
      • How to change the password for an administrator account?
      • How to recover a forgotten admin password?
      • Adding an admin account
      • Deleting an admin account
      • How to enable two-factor authentication at the Hideez Enterprise Server?
      • Authorization on the HES server via a FIDO key
      • Platform authentication on the HES server
      • Connecting Linux server to Active Directory
      • Setting Hideez Server parameters
      • Configuring DNS server
      • Setting up a Proxy for Mobile App Access to HES
      • How to create and set Hideez Key Access Profiles
      • How to manage companies and departments?
      • How to manage Positions?
      • Enable load balancing
      • Data Protection
    • Dashboard
      • Information about the server
      • Information about employees
      • Information about devices
      • Workstations Information
    • Employees
      • How to add an Employee?
      • Employees management
      • Employee management with Active Directory
    • Workstations
      • How to add and approve Workstations?
      • Workstations management
      • Workstation Profiles
      • Use Proximity Unlock Workstations
    • Hardware Vaults
      • How to add Hideez Key into the Server
      • Assign a key to the user
      • Remove the key from the Employee
      • Set a profile for a Hardware Vault
      • How to see an RFID code on the Employee key?
    • Accounts
      • Creating personal employee accounts
      • Creating shared employee accounts
      • Personal account management
      • Shared account management
      • Accounts backup and restore
      • How to work with the account template?
    • Keys Management
      • Keys Statuses
      • Transition to Reserved status
      • Keys Activation mechanism
      • Cancel issuance of Hideez Key (Reserved -> Ready)
      • Transition to Suspended status
      • Transition to Locked status
      • Transition to Deactivated status
      • Transition to Compromised status
      • Removing the Locked status
      • Wipe procedure
      • Delete key from Hideez Server
    • Audit
      • Workstation events
      • Workstation Sessions
      • Summaries
    • Single Sign On settings
      • How to get employee licenses
      • Enabling Single Sign-On (SSO) for Employees
      • User settings
    • Configuring SAML Protocol
    • Configuration OIDC (OpenID Connect)
  • Hideez Server Integration
    • Microsoft Entra ID
      • Import and Sync Users from Entra ID
        • Administrator-Initiated Manual Password Changes
        • User-Initiated Password Changes
    • Active Directory (On-Premises)
      • Import and Sync Users from Active Directory (On-Premises)
        • Administrator-Initiated Manual Password Changes
        • User-Initiated Password Changes
        • Active Directory (On-Premises) Access and Rights Delegation
    • SAML integration
      • ASA AnyConnect VPN
      • Citrix services
      • Fortinet services
      • GitHub Enterprise
      • GitLab on premises
      • Google Workspace
      • Microsoft Exchange for Authentication via SAML
        • ADFS Installation
      • Okta
      • Oracle Business Intelligence Enterprise Edition (OBIEE)
        • Step 1: Configure the Identity Provider — Hideez Enterprise Server (HES)
        • Step 2: Configure the Service Provider — Oracle Access Manager (OAM)
        • Step 3: Register Oracle Access Manager (OAM) in Hideez Enterprise Server (HES)
        • Step 4: Configure Directory Services and Web Infrastructure
        • Step 5: Configure Oracle Business Intelligence Enterprise Edition (OBIEE) for Single Sign-On (SSO)
    • Open ID Connect integration
      • Hideez Server as an External Authentication Method for Microsoft Entra ID via OIDC
      • OKTA (OIdC)
    • WS-Federation integration
      • Configure Exchange Outlook Web Application and Exchange Admin Center
  • Hideez Client App
    • Hideez Client deployment
      • Installation of the Hideez Client Application
      • Deploying Hideez Client MSI via GPO (Group Policy Object)
      • Configuration app
      • Uninstall Hideez Client app
      • Uninstalling via GPO
      • Upgrade Hideez Client
      • Downgrade Hideez Client
    • Application interface
      • General Settings
      • Logon settings
      • Aditional settings
      • Configuring hotkeys
    • Account management
      • Account creation
      • Editing an Existing Account
      • Deleting your account
    • Shortcuts
    • Remote Vault connection
    • Mobile Authenticator
  • Hideez Authenticator App
    • Quick overview
    • Admin guide
      • Setup for PC login scenario
        • Passwordless PC Login Setup
          • Configuring an Active Directory Certification Authority
          • Hideez Enterprise Server setup for passwordless login
          • Setting Up Passwordless Workstation Login with Entra ID
        • Password-based PC login Setup
      • Setup for SSO login scenario
    • User guide
      • Mobile App Primary Setup
      • App enrollment on Hideez Server
        • Enroll the application on Hideez Server for SSO
          • SSO enrollment (admin account)
          • SSO enrollment (user account)
        • PC Authorization Enrollment
          • Enrollment for Passwordless PC Authorization
            • Passwordless account re-enrollment
          • Enrollment for Password-based PC Authorization
            • Account roaming
      • Login with Hideez Authenticator
        • SSO login
        • PC login
          • Offline passwordless login
          • Login to the remote PC via RDP
      • PC lock
      • OTP generation
      • Software key disabling
        • PC logon disabling
        • SSO logon disabling
      • Service operations
  • Hideez Key (Enterprise Edition)
    • Hideez Key (Enterprise Edition)
    • Technical Specifications
      • Technical specifications Hideez Key 3
      • Technical specifications Hideez Key 4
    • Principles of operation
    • Device Layout
    • Battery maintenance
    • Hideez Key modes
    • How to update the Hideez Key (Enterprise) firmware
    • How to enter credentials with the Hideez Key
    • How to unlock PC
    • Key for Physical doors
  • Product Updates
    • Product updates
    • Hideez Enterprise Server updates
    • Hideez Key firmware updates
    • Hideez Client updates
    • Hideez Authenticator updates
  • API
    • Hideez Enterprise Server web API
  • FAQ
    • How-to's
      • How to add an Employee?
      • How to add personal user account on HES?
      • How to assign Hideez Key to a user?
      • How to activate Hideez Key?
      • How to unlock Hideez Key on HES?
      • How to unlock PC with Hideez Key?
      • How to setup proximity PC unlock?
      • How to use Hideez Key on remote PC?
      • How to enroll the Hideez Authentication app on HES for SSO?
      • How to login on HES with Hideez Authenticator?
      • How to enroll the Hideez Authentication app for PC login?
      • How to login to PC with Hideez Authenticator?
      • Enable QR Code Display for Hideez Authenticator on the Lock Screen of a Windows Remote Workstation
    • Hideez Client App
      • What do I do if I see the message "Connection failed. Trying to re-bond device"?
      • What do I do if the connection with the HES server cannot be established?
      • What should I do if the Password Manager menu item is not displayed?
    • Hideez Enterprise Server
      • How to view logs at Hideez Enterprise Server?
    • Setting Up Gmail with HES
    • Hideez Authenticator
      • QR code is not displayed at the credential provider on my PC
      • I have registered successfully but cannot login
      • What do I do if I changed domain and cannot login now
      • Does the Hideez App collect or transmit data from the phone to third parties or services?
    • Hideez Key
      • What physical conditions are dangerous for the Hideez Key?
      • Is the Hideez Key allowed on planes?
      • How to enable FIDO2 passwordless authentication with Microsoft Azure AD for use with Windows 10-11
  • Documentation portal
Powered by GitBook
On this page
  • Overview
  • Use Case
  • Prerequisites
  • Step 1: Prepare Microsoft Entra ID Groups
  • Step 2: Register an Application in Microsoft Entra ID
  • Step 3: Generate a Client Secret
  • Step 4: Assign API Permissions
  • Step 5: Configure Integration on the Hideez Server Side
  • Step 6: Enable SSO on Hideez Server for Imported Users
  • Step 7: Import Users into Hideez Server

Was this helpful?

  1. Hideez Server Integration

Microsoft Entra ID

Overview

Integrating Hideez Server with Microsoft Entra ID allows organizations to automate user management, enable secure Single Sign-On (SSO), and perform remote password rotation. This integration improves security and reduces administrative overhead.

Key benefits:

  • User Import: Automatically sync users from Microsoft Entra ID into Hideez Server based on group membership.

  • SSO Enablement: Users can log in to Windows workstations via Hideez Keys or mobile apps using Entra ID credentials — without entering passwords.

  • Password Management: Passwords of selected users can be automatically rotated in Entra ID. This requires that users belong to a specific group and have a Hideez Key assigned.

Use Case

  1. The administrator creates user groups in Entra ID and adds target users who will later be imported to Hideez Server.

  2. An application is registered in Entra ID to establish a connection with Hideez Server.

  3. API permissions are granted to allow user import and password management.

  4. The administrator configures integration settings on the Hideez Server side and synchronizes users.

  5. An invite is sent to users via email.

  6. Each user opens the invite and selects a preferred sign-in method.

  7. The user can then authenticate into integrated web services via SSO and log in to Windows PCs. This allows seamless access to both web applications and Windows workstations with a unified, passwordless experience.

There are two available integration modes:

  1. User import only — synchronizing Entra ID users to Hideez Server for authentication and SSO.

  2. User import with automatic password rotation — Hideez Server periodically updates Entra ID passwords for selected users.

    • This scenario requires using a Hideez Key.

    • After the import and password change:

      • The user’s password is updated in their Entra ID account.

      • A corresponding user account is automatically created in Hideez Server with the new password.

      • This account and its password are automatically copied to the Hideez Key once it’s connected to the user's workstation.

Note: If you plan to use only the Hideez Key for proximity-based PC lock/unlock without accessing web services via SSO, enabling SSO is not required.

Prerequisites

Before starting integration, ensure the following:

  • Admin access to both Microsoft Entra ID and Hideez Server.

  • An active Microsoft Entra ID tenant.

  • Permission to register applications in Entra ID.

  • Hideez Server is accessible over HTTPS.

Step 1: Prepare Microsoft Entra ID Groups

To control user synchronization and password management, create the following groups in Microsoft Entra ID:

  1. Hideez Users Sync Add to this group all users who should be imported into Hideez Server.

  2. Hideez Key Auto Password Change (optional) Add to this group users whose passwords should be automatically rotated via Hideez Server using the Hideez Key. These users must also be members of Hideez Users Sync.

Step 2: Register an Application in Microsoft Entra ID

  2. Navigate to Azure Active Directory → App registrations.

  3. Click New registration and fill out the form:

    • Name: Hideez Server Integration

    • Supported account types: Single tenant

    • Redirect URI (optional): Leave empty or set later

  4. Click Register.

  5. On the app’s Overview page, copy:

    • Application (Client) ID

    • Directory (Tenant) ID

Step 3: Generate a Client Secret

  1. In the app registration, go to Certificates & secrets.

  2. Click New client secret → set a description and expiration.

  3. Click Add.

  4. Copy the generated value from the Value column — this is your Client Secret.

Step 4: Assign API Permissions

  1. Go to API permissions → Add a permission → Microsoft Graph.

  2. Choose Application permissions.

  1. Add the following permissions:

For user import:

  • User.Read.All

  • Group.Read.All

  • Domain.Read.All (or use Directory.Read.All as a more general alternative)

For password management:

  • User.ReadWrite.All

  • User-PasswordProfile.ReadWrite.All

These permissions allow Hideez Server to change passwords directly in Microsoft Entra ID accounts. Passwords will be updated automatically based on the interval specified in Auto Password Change (days) in Hideez Server.

  1. Click Grant admin consent to apply all permissions.

Step 5: Configure Integration on the Hideez Server Side

  1. Log in to the Hideez Server admin panel.

  2. Go to Settings → Parameters and click Add Domain Settings.

  3. Select the Azure Active Directory option.

  4. Fill in the form with the values from previous steps:

    • Domain – your Microsoft Entra domain (e.g., yourcompany.onmicrosoft.com)

    • Application ID – Client ID from app registration

    • Client Secret – value from Step 3

    • Tenant ID – Directory ID

    • Auto Password Change (days) – e.g., 28 (optional)

    • Behavior when removing a user from a sync group:

      • Keep – The user remains on the Hideez Server after being removed from the synchronization group. SSO login and PC unlock remain available.

        Deactivate – The user is deactivated but not deleted. SSO login is disabled, while PC unlock remains available. Reactivation must be done manually by an administrator.

        Delete – The user is permanently removed from the Hideez Server. Both SSO login and PC unlock become unavailable.

  5. Click Save.

Note: After saving, login credentials will be hidden for security reasons.

Step 6: Enable SSO on Hideez Server for Imported Users

You can enable SSO for all imported users from Entra ID at once during the import process, or leave the setting disabled and activate SSO individually for specific users in their profile.

To enable SSO behavior for all users imported from Entra ID:

  1. Navigate to Settings → Parameters → Active Directory, choose your Entra ID integration, then open Default Single Sign-On Settings.

  2. Click Edit.

  1. Enable the SSO option and choose the appropriate login method:

  • Passwordless login via the Hideez Authenticator app, Hideez Key, or passkey.

  • Login with username and password plus a second factor (Hideez Authenticator app, Hideez Key, passkey, or OTP).

This allows users to:

  • Sign in to Hideez Server with their Entra ID credentials.

  • Access third-party services via Hideez Server using standard SSO protocols (SAML, OIDC, WS-Fed).

  • Unlock their workstations using passwordless methods via the Hideez Authenticator app.

Note: In this section, you can also download the certificate required for configuring Workstation Passwordless Logon Settings, which are necessary for enabling passwordless Windows PC login on machines joined to Entra ID.

Step 7: Import Users into Hideez Server

  1. Navigate to Users → Import from AD.

  2. Hideez Server will retrieve and list users from the Hideez Users Sync group in Entra ID.

  3. Select and import the desired users into the server.

Notes

  • Password rotation will only apply to users in the Hideez Key Auto Password Change group.

  • For hybrid infrastructure, enable Microsoft Entra password writeback.

  • For Linux environments, ensure that the server is joined to the Active Directory domain.

  • Removing Entra ID credentials from Hideez Server will disable all sync functionality.

  • Multiple domains can be added — each is managed independently.

PreviousConfiguration OIDC (OpenID Connect)NextImport and Sync Users from Entra ID

Last updated 6 days ago

Was this helpful?

Log in to the .

More details about passwordless Windows PC login are available at the following link: .

Microsoft Entra admin portal
Learn more