Microsoft Entra ID
Overview
Integrating Hideez Server with Microsoft Entra ID allows organizations to automate user management, enable secure Single Sign-On (SSO), and perform remote password rotation. This integration improves security and reduces administrative overhead.
Key benefits:
User Import: Automatically sync users from Microsoft Entra ID into Hideez Server based on group membership.
SSO Enablement: Users can log in to Windows workstations via Hideez Keys or mobile apps using Entra ID credentials — without entering passwords.
Password Management: Passwords of selected users can be automatically rotated in Entra ID. This requires that users belong to a specific group and have a Hideez Key assigned.
Use Case
The administrator creates user groups in Entra ID and adds target users who will later be imported to Hideez Server.
An application is registered in Entra ID to establish a connection with Hideez Server.
API permissions are granted to allow user import and password management.
The administrator configures integration settings on the Hideez Server side and synchronizes users.
An invite is sent to users via email.
Each user opens the invite and selects a preferred sign-in method.
The user can then authenticate into integrated web services via SSO and log in to Windows PCs. This allows seamless access to both web applications and Windows workstations with a unified, passwordless experience.
There are two available integration modes:
User import only — synchronizing Entra ID users to Hideez Server for authentication and SSO.
User import with automatic password rotation — Hideez Server periodically updates Entra ID passwords for selected users.
This scenario requires using a Hideez Key.
After the import and password change:
The user’s password is updated in their Entra ID account.
A corresponding user account is automatically created in Hideez Server with the new password.
This account and its password are automatically copied to the Hideez Key once it’s connected to the user's workstation.
Prerequisites
Before starting integration, ensure the following:
Admin access to both Microsoft Entra ID and Hideez Server.
An active Microsoft Entra ID tenant.
Permission to register applications in Entra ID.
Hideez Server is accessible over HTTPS.
Step 1: Prepare Microsoft Entra ID Groups
To control user synchronization and password management, create the following groups in Microsoft Entra ID:
Hideez Users Sync Add to this group all users who should be imported into Hideez Server.
Hideez Key Auto Password Change (optional) Add to this group users whose passwords should be automatically rotated via Hideez Server using the Hideez Key. These users must also be members of Hideez Users Sync.
Step 2: Register an Application in Microsoft Entra ID
Navigate to Azure Active Directory → App registrations.
Click New registration and fill out the form:
Name: Hideez Server Integration
Supported account types: Single tenant
Redirect URI (optional): Leave empty or set later
Click Register.
On the app’s Overview page, copy:
Application (Client) ID
Directory (Tenant) ID
Step 3: Generate a Client Secret
In the app registration, go to Certificates & secrets.
Click New client secret → set a description and expiration.
Click Add.
Copy the generated value from the Value column — this is your Client Secret.
Step 4: Assign API Permissions
Go to API permissions → Add a permission → Microsoft Graph.
Choose Application permissions.
Add the following permissions:
For user import:
User.Read.All
Group.Read.All
Domain.Read.All
(or useDirectory.Read.All
as a more general alternative)
For password management:
User.ReadWrite.All
User-PasswordProfile.ReadWrite.All
Click Grant admin consent to apply all permissions.
Step 5: Configure Integration on the Hideez Server Side
Log in to the Hideez Server admin panel.
Go to Settings → Parameters and click Add Domain Settings.
Select the Azure Active Directory option.
Fill in the form with the values from previous steps:
Domain – your Microsoft Entra domain (e.g.,
yourcompany.onmicrosoft.com
)Application ID – Client ID from app registration
Client Secret – value from Step 3
Tenant ID – Directory ID
Auto Password Change (days) – e.g., 28 (optional)
Behavior when removing a user from a sync group:
Keep – The user remains on the Hideez Server after being removed from the synchronization group. SSO login and PC unlock remain available.
Deactivate – The user is deactivated but not deleted. SSO login is disabled, while PC unlock remains available. Reactivation must be done manually by an administrator.
Delete – The user is permanently removed from the Hideez Server. Both SSO login and PC unlock become unavailable.
Click Save.
Step 6: Enable SSO on Hideez Server for Imported Users
You can enable SSO for all imported users from Entra ID at once during the import process, or leave the setting disabled and activate SSO individually for specific users in their profile.
To enable SSO behavior for all users imported from Entra ID:
Navigate to Settings → Parameters → Active Directory, choose your Entra ID integration, then open Default Single Sign-On Settings.
Click Edit.
Enable the SSO option and choose the appropriate login method:
Passwordless login via the Hideez Authenticator app, Hideez Key, or passkey.
Login with username and password plus a second factor (Hideez Authenticator app, Hideez Key, passkey, or OTP).
This allows users to:
Sign in to Hideez Server with their Entra ID credentials.
Access third-party services via Hideez Server using standard SSO protocols (SAML, OIDC, WS-Fed).
Unlock their workstations using passwordless methods via the Hideez Authenticator app.
Step 7: Import Users into Hideez Server
Navigate to Users → Import from AD.
Hideez Server will retrieve and list users from the Hideez Users Sync group in Entra ID.
Select and import the desired users into the server.
Last updated
Was this helpful?