SSO Between Windows User Account with Hideez Authenticator app and Office 365

Use Case:

A user logs into a Windows 10/11 workstation using their Entra ID or Active Directory (AD) account via a QR code and the Hideez Authenticator mobile application (Android or iOS). The user then accesses Outlook on the web through Microsoft Edge and is automatically signed in to their mailbox without needing to re-authenticate.

Note: If the Office 365 login policy requires Multi-Factor Authentication (MFA), a second factor will still be prompted.

Prerequisites

Windows 10/11 workstation with Secure Boot and TPM 2.0 enabled
Workstation joined to the AD domain (for a hybrid scenario)
If joined to an AD domain, hybrid identity with Entra ID must be properly configured

Configuration Steps

1. Workstation Joined to Entra ID

Create a user account in Entra ID
Register the workstation with the Entra ID account:
1. On the workstation, go to Settings → Accounts → Access work or school

b. Click the plus (+) button and enter the Entra ID account credentials

c. Restart the workstation and log in using the Entra ID account

d. Open Microsoft Edge and test SSO with Office 365

e. Set up the Hideez Client to allow login via QR code under the Entra ID account

f. Re-test Office 365 SSO in Microsoft Edge

2. Workstation Joined to Active Directory (AD)

a. Configure hybrid identity with Entra Connect:

Deploy Entra Connect Sync on the domain controller
Set up synchronization of users and groups

b. Enable device synchronization in Entra Connect Sync

Check in the Microsoft Entra admin center status of “Seamless single sign-on” is “Enabled”

c. Set Group Policy on the workstation to enable automatic device registration with Entra ID.

Run Local Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration

Note: Device registration may take time or fail due to various issues. Troubleshooting may require log analysis and use of the following commands:

dsregcmd /status - Look for AzureAdJoined to be set to YES
dsregcmd /debug /leave

Entra ID device registration is essential for SSO. Issues with TPM or Secure Boot can prevent successful registration also. Manual registration is also possible (refer to Step 1b). It’s also possible to check the device registration in the appropriate user profile in Entra ID.

e. Test Office 365 SSO in Microsoft Edge

PreviousUsing Hideez Authenticator as your two-factor authentication method for SSO NextOTP generation by Hideez Authenticator App for 2FA

Last updated 6 months ago

hashtagUse Case:

hashtagPrerequisites

hashtagConfiguration Steps

hashtag1. Workstation Joined to Entra ID

hashtag2. Workstation Joined to Active Directory (AD)

hashtaga. Configure hybrid identity with Entra Connect:

hashtagb. Enable device synchronization in Entra Connect Sync

hashtagc. Set Group Policy on the workstation to enable automatic device registration with Entra ID.

hashtagd. Disable MFA for the Entra ID account (if seamless login is required without a second factor)

hashtage. Test Office 365 SSO in Microsoft Edge