# SSO Between Windows User Account with Hideez Authenticator app and Office 365

## Use Case:

A user logs into a Windows 10/11 workstation using their Entra ID or Active Directory (AD) account via a QR code and the Hideez Authenticator mobile application (Android or iOS). The user then accesses Outlook on the web through Microsoft Edge and is automatically signed in to their mailbox without needing to re-authenticate.

Note: If the Office 365 login policy requires Multi-Factor Authentication (MFA), a second factor will still be prompted.

## Prerequisites

* Windows 10/11 workstation with Secure Boot and TPM 2.0 enabled
* Workstation joined to the AD domain (for a hybrid scenario)
* If joined to an AD domain, hybrid identity with Entra ID must be properly configured

## Configuration Steps

### 1. Workstation Joined to Entra ID

1.   Create a user account in Entra ID
2. Register the workstation with the Entra ID account:
   1. On the workstation, go to **Settings → Accounts → Access work or school**<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdxx-I7Yvn1SiV_zQsetVKlVZwWtUE47IJ9qWW3vqEXanYjQL7KKHby5iLuJTCFBlJ0kqaaeDJQskUd6oWTXHJ0Mtr4unyNGOO_0SouqlUN277y7qkQXpoBrVWdejNzOOH9ViL_-fHGQRCKXcKrI5w?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

&#x20;b. Click the plus (+) button and enter the Entra ID account credentials<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcDLiDSkL1zsNqPK-siZvcYaNzTmuScDvpWohqTb4I-7DsuYunoRWBgtDIdrHQ_FZJKmxJ5dv1ik9aeON7Ik8euBjtG7xO7Xg5O43VJTHmF0TCsdg9MXeSpz8Yb_uHYysRGBb8lT6In18BtwtUGJVE?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="375"><figcaption></figcaption></figure>

c. Restart the workstation and log in using the Entra ID account

d. Open Microsoft Edge and test SSO with Office 365

e. Set up the Hideez Client to allow login via QR code under the Entra ID account<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdXw2VsotX61viDZqzVgJZRcWlezXF68h72GoQ-PJ6Ulmr7uFXfFtg92SXoHBYcJcoRnxzHP--ZGSe79JdEa5F1xScYc9K0Uw5vRQbyZduLkWPLjKXSYCRc6NHxqkrAb0-2LpSu4q62GneC81lDNP0?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

f. Re-test Office 365 SSO in Microsoft Edge

### 2. Workstation Joined to Active Directory (AD)

#### a. Configure hybrid identity with Entra Connect:

* Deploy Entra Connect Sync on the domain controller
* Set up synchronization of users and groups

#### b. Enable device synchronization in Entra Connect Sync<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeXOPe005ITRXDcNI6qhzOYLZ_eyzyGzFRpZxQpHyJvTOJmRLZ09dR2n2ydRntlqhHOwSauHC31X2R9_eb7aUpCfKE7cGoZQpu4CMeSLpd-N6vHpB-6j78FZvBO84MvpyOvtcrONV9JR5KFyGNDNsY?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcEn4rp8TZXYiSmaEkqHQ1Ne85Pmo9y0U92EiJBNCu4mWw93AJ-gsPPjgKOjx7aKFcLwr0U1gmnRFsgsGiBPXhuFbR8_3Vf5zD_7G-JN2c1rGuYaBH12D1EniunImiXO3MzBp1EL6qjuLOVKPYWYL8?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfVq83kDyMpzEMhImGuLfYBTZCuGrYbBqnydToXh1gzTGmGaziw24zdwuer5IAMk7OwqofRSGE5_gwX75JTXIW8okv--YUbaqHQn2swSlXOni220UU54c67j5cIgC8EC9hPLxu6Nw6bMtH3fX2rAsc?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf9O707rFS6IeHchw4ZRfLBCr4QTBaxiEwr6Rmqz1W05z6747HDrTS94saxi5f-yuBEkxtbYo_v_PMX-AzdOh_cuyi0Au_H30Z91lku3m5jWKczAiS-QL-ZEhpdXpTs-OdRqw033hI0-UVimabv0S4?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdjRkh4ZRgJLmZ9FXVNsbjn9tAJh-oOpeSi3zB67xbZU1MI9kCqiFtXjZzopIRpWp1ypLhv5e1nNUPP0iXrupJuzI5GPQZ-8i-2xUxTgQmH2_I7pDnuoeKWih3V6WaO1OHDRKPIDlmguaTKI733Le4?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

Check in the **Microsoft Entra admin center** status of “Seamless single sign-on”  is “**Enabled**”

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXebEH797W1_0P9_1vGvR0HrBcnpxe2REyAQeBha92QpS-4aplkBnRNd6zb9PF-Ojx8UzXHi8MYGbbBe-sh6La5AzjxRPvV-5uyrMGfmNXmtF3V-rBSVh1EGGloIpp5n-lBcDd6JDH1YWOyF6HgZVVA?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

#### c. Set Group Policy on the workstation to enable automatic device registration with Entra ID.

Run **Local Group Policy Editor** and navigate to **Computer Configuration > Administrative Templates > Windows Components > Device Registration**

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXetGjRSdi6aBmQlWpgVDliURtDSy-60FKeZjlfmNokXkxmbefUABQ2QglILvO7fpLAFMh9SQZSAEfwysTpDHQqBb4CpUvaun-HFxYvWTo2wIGRq67X_l_5ldUXm9kMglnvq4a-cUBWST1ADWXNmpjM?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Note:** Device registration may take time or fail due to various issues. Troubleshooting may require log analysis and use of the following commands:

* dsregcmd /status - Look for AzureAdJoined to be set to YES
* dsregcmd /debug /leave
  {% endhint %}

Entra ID device registration is essential for SSO. Issues with TPM or Secure Boot can prevent successful registration also. Manual registration is also possible (refer to Step 1b).\
It’s also possible to check the device registration in the appropriate user profile in Entra ID.\
&#x20;

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcD6Bs7CTXGp1VQuE1SiJNLU3IEIxkyGHhNM5qfUtY_Gqa_LFSWfLvzef_HfZgaKg2Vsris3i1bHeJNBlD0DPwOR8zt_RCp0veoyOXCIwLOqDsvP-nnZ7fY4u1cMfPkB1jizo2dxfeEM1I96flJ4XM?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

#### d. Disable MFA for the Entra ID account (if seamless login is required without a second factor)

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXd9qPy7upRcwYOBuIsG0u2YVeNyUa5OGUYyPB8vO_q6sR_YCpoKTSdQroyy2wk13OeWH-V9LengJk6UtMz837TcAmpXVjbeu_bsC3yx6m-NLXtMm5d6O_k6NWaUhW2YpIQCcfRlTRLjZ-JwBCfvIg?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

#### e. Test Office 365 SSO in Microsoft Edge