Skip to main content
Version: 10.7.0

Environment Setup Overview

Choose the environment setup that matches your domain and device architecture. This page explains the two supported environment types for deploying Enterprise Passkey with HYPR Passkey.

Important: Core Enterprise Passkey Setup is the Same

The core Enterprise Passkey setup process is identical for both Entra-only and Hybrid environments. Both require:

  • Microsoft Entra ID tenant with verified domains and users
  • HYPR Control Center™ integration with Entra (app registration, API permissions)
  • Required feature flags enabled (e.g., FIDO2_MOBILE_AUTHENTICATOR, AZURE_PROVISION_API)
  • FIDO2/Enterprise Passkey authentication enabled in Entra
  • Device and user registration via HYPR mobile app

The only difference is how Windows workstations are joined to your domain:

Entra-only Environment

Use this path for cloud-first environments with Windows devices joined directly to Microsoft Entra ID (formerly Azure AD), without on-premises Active Directory or PKI dependencies.

  • Device Join Type: Azure AD Join (direct to Entra)
  • User Account Type: Cloud-only Entra accounts
  • Device Join Process: Join directly to Entra via Settings > Accounts > Access work or school
  • Infrastructure: No on-prem AD, PKI or Kerberos requirements
  • Best for: Simpler deployments and cloud-managed fleets

Go to Entra-only Administrator Setup →

Hybrid Environment

Use this path for environments that include on-premises Active Directory, where devices are hybrid-joined to Entra ID and require certificate/Kerberos support.

  • Device Join Type: Hybrid Azure AD Join (on-prem AD + Entra via Azure AD Connect)
  • User Account Type: Hybrid accounts (synced from AD) or cloud-only accounts
  • Device Join Process: Join to on-prem AD first, then configure Hybrid Azure AD Join via Azure AD Connect
  • Infrastructure: On-prem AD with Azure AD Connect; Kerberos and certificate considerations
  • Best for: Enterprises integrating existing AD with Entra

Go to Hybrid Administrator Setup →

Setup Order

For Entra-only: Complete device join to Entra, then proceed with common Enterprise Passkey/HYPR integration steps.

For Hybrid: Complete hybrid join process first (Azure AD Connect setup, hybrid join configuration, device domain-join), then proceed with common Enterprise Passkey/HYPR integration steps.

What to do next

After completing your environment-specific device join setup, continue with the Administrator Configuration for the common HYPR Control Center™ integration and Enterprise Passkey setup steps.

Proceed to Administrator Configuration →