SSO Between Windows User Account with Hideez Authenticator app and Office 365

Use Case:

A user logs into a Windows 10/11 workstation using their Entra ID or Active Directory (AD) account via a QR code and the Hideez Authenticator mobile application (Android or iOS). The user then accesses Outlook on the web through Microsoft Edge and is automatically signed in to their mailbox without needing to re-authenticate.

Note: If the Office 365 login policy requires Multi-Factor Authentication (MFA), a second factor will still be prompted.

Prerequisites

  • Windows 10/11 workstation with Secure Boot and TPM 2.0 enabled

  • Workstation joined to the AD domain (for a hybrid scenario)

  • If joined to an AD domain, hybrid identity with Entra ID must be properly configured

Configuration Steps

1. Workstation Joined to Entra ID

  1. Create a user account in Entra ID

  2. Register the workstation with the Entra ID account:

    1. On the workstation, go to Settings → Accounts → Access work or school

b. Click the plus (+) button and enter the Entra ID account credentials

c. Restart the workstation and log in using the Entra ID account

d. Open Microsoft Edge and test SSO with Office 365

e. Set up the Hideez Client to allow login via QR code under the Entra ID account

f. Re-test Office 365 SSO in Microsoft Edge

2. Workstation Joined to Active Directory (AD)

a. Configure hybrid identity with Entra Connect:

  • Deploy Entra Connect Sync on the domain controller

  • Set up synchronization of users and groups

b. Enable device synchronization in Entra Connect Sync

Check in the Microsoft Entra admin center status of “Seamless single sign-on” is “Enabled

c. Set Group Policy on the workstation to enable automatic device registration with Entra ID.

Run Local Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration

Note: Device registration may take time or fail due to various issues. Troubleshooting may require log analysis and use of the following commands:

  • dsregcmd /status - Look for AzureAdJoined to be set to YES

  • dsregcmd /debug /leave

Entra ID device registration is essential for SSO. Issues with TPM or Secure Boot can prevent successful registration also. Manual registration is also possible (refer to Step 1b). It’s also possible to check the device registration in the appropriate user profile in Entra ID.

d. Disable MFA for the Entra ID account (if seamless login is required without a second factor)

e. Test Office 365 SSO in Microsoft Edge

Last updated

Was this helpful?