> For the complete documentation index, see [llms.txt](https://enterprise.hideez.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enterprise.hideez.com/use-cases/hideez-authenticator-mobile-app/sso-between-windows-user-account-with-hideez-authenticator-app-and-office-365.md).

# SSO Between Windows User Account with Hideez Authenticator app and Office 365

## Use Case:

A user logs into a Windows 10/11 workstation using their Entra ID or Active Directory (AD) account via a QR code and the Hideez Authenticator mobile application (Android or iOS). The user then accesses Outlook on the web through Microsoft Edge and is automatically signed in to their mailbox without needing to re-authenticate.

Note: If the Office 365 login policy requires Multi-Factor Authentication (MFA), a second factor will still be prompted.

## Prerequisites

* Windows 10/11 workstation with Secure Boot and TPM 2.0 enabled
* Workstation joined to the AD domain (for a hybrid scenario)
* If joined to an AD domain, hybrid identity with Entra ID must be properly configured

## Configuration Steps

### 1. Workstation Joined to Entra ID

1.   Create a user account in Entra ID
2. Register the workstation with the Entra ID account:
   1. On the workstation, go to **Settings → Accounts → Access work or school**<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdxx-I7Yvn1SiV_zQsetVKlVZwWtUE47IJ9qWW3vqEXanYjQL7KKHby5iLuJTCFBlJ0kqaaeDJQskUd6oWTXHJ0Mtr4unyNGOO_0SouqlUN277y7qkQXpoBrVWdejNzOOH9ViL_-fHGQRCKXcKrI5w?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

&#x20;b. Click the plus (+) button and enter the Entra ID account credentials<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcDLiDSkL1zsNqPK-siZvcYaNzTmuScDvpWohqTb4I-7DsuYunoRWBgtDIdrHQ_FZJKmxJ5dv1ik9aeON7Ik8euBjtG7xO7Xg5O43VJTHmF0TCsdg9MXeSpz8Yb_uHYysRGBb8lT6In18BtwtUGJVE?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="375"><figcaption></figcaption></figure>

c. Restart the workstation and log in using the Entra ID account

d. Open Microsoft Edge and test SSO with Office 365

e. Set up the Hideez Client to allow login via QR code under the Entra ID account<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdXw2VsotX61viDZqzVgJZRcWlezXF68h72GoQ-PJ6Ulmr7uFXfFtg92SXoHBYcJcoRnxzHP--ZGSe79JdEa5F1xScYc9K0Uw5vRQbyZduLkWPLjKXSYCRc6NHxqkrAb0-2LpSu4q62GneC81lDNP0?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

f. Re-test Office 365 SSO in Microsoft Edge

### 2. Workstation Joined to Active Directory (AD)

#### a. Configure hybrid identity with Entra Connect:

* Deploy Entra Connect Sync on the domain controller
* Set up synchronization of users and groups

#### b. Enable device synchronization in Entra Connect Sync<br>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeXOPe005ITRXDcNI6qhzOYLZ_eyzyGzFRpZxQpHyJvTOJmRLZ09dR2n2ydRntlqhHOwSauHC31X2R9_eb7aUpCfKE7cGoZQpu4CMeSLpd-N6vHpB-6j78FZvBO84MvpyOvtcrONV9JR5KFyGNDNsY?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcEn4rp8TZXYiSmaEkqHQ1Ne85Pmo9y0U92EiJBNCu4mWw93AJ-gsPPjgKOjx7aKFcLwr0U1gmnRFsgsGiBPXhuFbR8_3Vf5zD_7G-JN2c1rGuYaBH12D1EniunImiXO3MzBp1EL6qjuLOVKPYWYL8?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfVq83kDyMpzEMhImGuLfYBTZCuGrYbBqnydToXh1gzTGmGaziw24zdwuer5IAMk7OwqofRSGE5_gwX75JTXIW8okv--YUbaqHQn2swSlXOni220UU54c67j5cIgC8EC9hPLxu6Nw6bMtH3fX2rAsc?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf9O707rFS6IeHchw4ZRfLBCr4QTBaxiEwr6Rmqz1W05z6747HDrTS94saxi5f-yuBEkxtbYo_v_PMX-AzdOh_cuyi0Au_H30Z91lku3m5jWKczAiS-QL-ZEhpdXpTs-OdRqw033hI0-UVimabv0S4?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdjRkh4ZRgJLmZ9FXVNsbjn9tAJh-oOpeSi3zB67xbZU1MI9kCqiFtXjZzopIRpWp1ypLhv5e1nNUPP0iXrupJuzI5GPQZ-8i-2xUxTgQmH2_I7pDnuoeKWih3V6WaO1OHDRKPIDlmguaTKI733Le4?key=QU2iF3nmbgM2sAWJ_h6uCg" alt="" width="563"><figcaption></figcaption></figure>

Check in the **Microsoft Entra admin center** status of “Seamless single sign-on”  is “**Enabled**”

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXebEH797W1_0P9_1vGvR0HrBcnpxe2REyAQeBha92QpS-4aplkBnRNd6zb9PF-Ojx8UzXHi8MYGbbBe-sh6La5AzjxRPvV-5uyrMGfmNXmtF3V-rBSVh1EGGloIpp5n-lBcDd6JDH1YWOyF6HgZVVA?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

#### c. Set Group Policy on the workstation to enable automatic device registration with Entra ID.

Run **Local Group Policy Editor** and navigate to **Computer Configuration > Administrative Templates > Windows Components > Device Registration**

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXetGjRSdi6aBmQlWpgVDliURtDSy-60FKeZjlfmNokXkxmbefUABQ2QglILvO7fpLAFMh9SQZSAEfwysTpDHQqBb4CpUvaun-HFxYvWTo2wIGRq67X_l_5ldUXm9kMglnvq4a-cUBWST1ADWXNmpjM?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Note:** Device registration may take time or fail due to various issues. Troubleshooting may require log analysis and use of the following commands:

* dsregcmd /status - Look for AzureAdJoined to be set to YES
* dsregcmd /debug /leave
  {% endhint %}

Entra ID device registration is essential for SSO. Issues with TPM or Secure Boot can prevent successful registration also. Manual registration is also possible (refer to Step 1b).\
It’s also possible to check the device registration in the appropriate user profile in Entra ID.\
&#x20;

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcD6Bs7CTXGp1VQuE1SiJNLU3IEIxkyGHhNM5qfUtY_Gqa_LFSWfLvzef_HfZgaKg2Vsris3i1bHeJNBlD0DPwOR8zt_RCp0veoyOXCIwLOqDsvP-nnZ7fY4u1cMfPkB1jizo2dxfeEM1I96flJ4XM?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

#### d. Disable MFA for the Entra ID account (if seamless login is required without a second factor)

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXd9qPy7upRcwYOBuIsG0u2YVeNyUa5OGUYyPB8vO_q6sR_YCpoKTSdQroyy2wk13OeWH-V9LengJk6UtMz837TcAmpXVjbeu_bsC3yx6m-NLXtMm5d6O_k6NWaUhW2YpIQCcfRlTRLjZ-JwBCfvIg?key=QU2iF3nmbgM2sAWJ_h6uCg" alt=""><figcaption></figcaption></figure>

#### e. Test Office 365 SSO in Microsoft Edge


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://enterprise.hideez.com/use-cases/hideez-authenticator-mobile-app/sso-between-windows-user-account-with-hideez-authenticator-app-and-office-365.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.