Skip to main content

Entra ID: HYPR Login Experience in CC

Overview

Integrating HYPR with Entra ID lets you access your organization's Entra ID-protected applications (such as Office 365) using HYPR's passwordless authentication instead of the standard username + password login.

Getting the HYPR Entra ID integration up and running requires the following basic steps:

  1. Understand how the Entra ID login process changes for end users after you integrate with HYPR. See What Will Happen in Entra?.

  2. Configure the Entra side of the integration. See Setting Up Entra.

  3. Configure the HYPR side of the integration. See Connecting Entra to HYPR.

The following HYPR Integration common tasks are explained on the Integrations main page.

Licensing

Microsoft Entra ID HYPR Login Experience integration leverages federation and requires at least a Microsoft Entra ID P1 subscription. Please check your Microsoft subscription before proceeding with configuring the integration.

What Will Happen in Entra?

Login Flow

Once you activate the HYPR Entra ID integration, users will experience a different Entra login flow depending on whether they're enrolled or non-enrolled.

Enrolled Users
Users who have been successfully enrolled via the HYPR Control Center will no longer need to provide a password to login to Entra. After providing their username on the Entra sign in screen, they'll be redirected to the HYPR passwordless authorization flow. Essentially, HYPR intercepts the default Entra login process and replaces the password step with a more secure passwordless access.

Non-enrolled Users
Users who have not been enrolled via the HYPR Control Center will be prompted to enter their Entra password after they click Sign In on the HYPR login screen.

Behind the Scenes

Once you create the integration, HYPR will handle as much of the back-end configuration in Entra as possible.

Non-enrolled Group Membership
Users who haven't registered a device with HYPR before you activate the HYPR Entra integration will automatically be added to a “Users Not Yet Enrolled” Entra ID group created by HYPR during the setup process. They'll automatically be removed from the non-enrolled group as soon as they register a device.

What You'll Need

  • Since you're setting up the HYPR Entra integration through the HYPR Control Center, you should have already registered for an account, paired your mobile device with HYPR, and used your new passwordless login to access the Control Center; if this isn't the case, please contact HYPR Support and we'll help you out

  • Make sure you have the Entra tenant available and an account that exists on the \*.onmicrosoft.com domain with administrative privileges.

  • Make sure you have the Entra licenses (P1) assigned to the test accounts

Setting Up Entra ID

Registering the HYPR Entra ID Application

  1. From the Entra ID portal home screen, select Entra ID > App registrations > New registration.

  2. Enter the application name HYPRAuthApp and select Accounts in this organizational directory only.

  3. Click Register when done.

  4. On the Overview page, make a note of the following values which you'll need later when configuring the integration in the HYPR Control Center:

    Application (client) ID

    Directory (tenant) ID

Granting Required API Permissions

  1. From the Entra ID screen, select App registrations and select the app you just made.

  2. Select API permissions.

  3. By default, the application will already have Microsoft Graph's User.Read permission. This isn't required, so remove it by clicking the ... icon and choosing Remove permission. Click Yes, remove to confirm when prompted.



  4. Click Add a permission, and on the tiled choices, select Microsoft Graph.

  5. Select Delegated permissions.



    Delegated by Default

    Sometimes Entra ID will not display the option for Delegated or Application permissions, and will immediately assume Delegated as the choice. After you grant Admin Consent later in the process, you will be able to verify the permission type.

  6. Scroll down to the Directory entry and expand it. Select Directory.AccessAsUser.All and click Add Permissions.

  7. Verify admin consent as been granted (beside + Add a permission). If not, click Grant admin consent to apply the permissions and click Yes to confirm when prompted.

Setting Application-level Scope

  1. From the Entra Active Directory screen, select App registrations and choose your app.

  2. Select Expose an API, then click Add next to Application ID URI.

  3. Accept the default Application ID URI setting by clicking Save.

  4. Click Add a scope and enter the following values:

    • Scope name: User.Read

    • Who can consent: Admins and users

    • Admin consent display name: HYPRAuthApp User.Read Access

    • Admin consent description: HYPRAuthApp User.Read Access

    • User consent display name: Leave blank.

    • User consent description: Leave blank.

    • State: Enabled

  5. Click Add Scope to save the changes.

Creating an application credential

You'll need to provide a credential when you set up the integration in the HYPR Control Center, which is going to be used to interact with the Entra resources via the Graph API. You can use a client secret as this credential.

OAuth flow

The Entra ID HYPR Login Experience integration uses the OAuth 2.0 Resource Owner Password Credentials flow to authenticate to Entra's Graph API. This is required to validate users' credential with passthrough authetnication when federated users haven't registered with HYPR.

Using a Client Secret

You'll need to provide a client secret when you set up the integration in the HYPR Control Center. Generate the client secret in Entra as follows:

  1. From the Entra ID screen, select App registrations and choose your app.

  2. Select Certificates & secrets, then select Client secrets and click New client secret.

  3. Enter a Description and an Expires date. Click Add when finished. Entra ID returns to the Certificates and Secrets list.

  4. Make a note of the client secret value now so you can use it later.



    One Time Only

    If you return to this screen later, Entra will mask the value and you won't be able to copy it.

Creating a Service Account

Additionally, you'll need to provide a service user account name and password when you set up the integration in the HYPR Control Center.

onmicrosoft.com

The service account here must be created on onmicrosoft.com, not on the custom federated domain. This service account must be excluded from any policy that would require it to use MFA.

Create the account in Entra as follows:

  1. From the Entra ID screen, select Users, then All Users.

  2. Click New user.

  3. Select Create user. In the Basics tab, enter the following values:

    • User principal name: hyprserviceaccount.YOUR_DOMAIN.onmicrosoft.com

    • Mail nickname: hyprserviceaccount

      • Derive from user principal name: checked

    • Display name: HYPR Service Account

    • Password: Create a password (You may need to uncheck Auto-generate password first)

      • Auto-generate password: unchecked

    • Account Enabled: checked

    Enter a temporary password and make a note of it so you can change it below.

  4. Click Review + create to review the user account. You are taken to the Review + create tab. Verify the information you entered is correct, and click Create.

  5. On the Profile screen for the new account, select Assigned roles.

  6. Click Add Assignments.

  7. Search for and add the following Directory roles:

    Application administrator
    Configures the HYPRAuthApp application to accept authentication via ROPC when the domain is federated. Needed when adding or deleting the HYPR Entra ID integration via the Control Center.

    Directory writers
    Allows the necessary group creation/update and also handles getting the user data for sync and the immutableID for authentication. Needed throughout the entire lifecycle of the HYPR Entra integration.

    Domain Name Administrators
    Allows HYPR to automatically enable/disable the federation with Entra ID. This is needed throughout the entire lifecycle of the HYPR Entra ID integration.

    Conditional Access administrator If you are planning to use a Conditional Access Policy Template, you must also add the Conditional Access administrator.

    This role permits creation/updating for the HYPR Conditional Access Policy. It is needed when adding, enabling, disabling, or deleting the HYPR Entra ID integration via the Control Center.

    Entra ID Domain Name Administrator Role

    Make sure the Domain Name Administrator role is added to the HYPR Service Account in Entra ID, or you will receive an error stating, "Insufficient privileges to complete the operation," when attempting to enable or disable the Integration.


  8. Click Add when done.

Patience

Entra can be very slow to replicate these changes. You may need to refresh the page several times, or possibly add some of the settings more than once.

  1. Entra returns to the Assign Roles list. Confirm that all the roles were successfully assigned.

  2. Open an incognito browser window and login to entra.microsoft.com as the new service account user so you can set the permanent password.



    One Condition

    If the account gets prompted for MFA during this login, it means you have a Conditional Access Policy in place which will need to be updated to exclude the hyprserviceaccount user.

  3. Enter an appropriate new password and make a note of it for later.

Creating a Custom Domain

If the domain you intend to secure with HYPR isn't already set up and verified by Entra, you'll need to add one. Note that it can take a couple of days for the DNS changes to propagate.

Managed, Not Federated

If you already have a verified domain, make sure it isn't already set to Federated in Entra ID. If it is, you must change it to Managed before you activate the integration ("Go-Live") with HYPR.

  1. In the Entra ID screen, select Identity -> Settings -> Domain names.

  2. Click Add custom domain.

  3. Enter your domain in the Custom domain name field and click Add domain.

    You'll need create a new TXT or MX record with your domain name registrar. Entra provides the necessary information and allows you to verify the domain once it's been created.

HYPR Control Center - Connecting Entra ID to HYPR

Once Entra ID is set up, you can add the integration to HYPR.

  1. Go to the Integrations screen in the HYPR Control Center and click Add New Integration to show a list of available integration types.

  2. Select the Microsoft Entra ID integration.

  3. HYPR will present you with a choice; select HYPR Login Experience.



  4. To integrate HYPR and Entra , you just need to provide some information on the HYPR Login Setup screen.



    FieldValue
    Application NameThe name you provide here will be used in three places:

    - For the web account name that users will see in the HYPR Mobile App

    - For the HYPR Device Manager page where users register their devices

    - For internal identification of this integration within the HYPR platform

    You can use any name you like, but it's best to go with something that indicates the purpose of the application. For example:

    passwordlessClientEntraSSO

    You can use numbers, spaces, hyphens, and underscores in the name but note that spaces will be stripped from the name used to internally identify the integration within the HYPR platform. The namespace is limited to 23 characters.

    Once set, the only way to change the Application Name is to delete and re-add the integration.
    Domain NameThe custom domain in Entra you want to integrate with HYPR. For example:

    secure.highlandsbank.com

    Note that this domain must not already be federated (see Creating a Custom Domain).

    Once set, the only way to change Domain Name is to delete and re-add the integration.
    Tenant IDThe Directory (tenant) ID from Entra ID.

    If you didn't make a note of this earlier, you can retrieve it from the Overview page for the application in Entra ID (see Registering the HYPR Entra ID Application).

    Once set, the only way to change the Tenant ID is to delete and re-add the integration.
    Client IDThe Application (client) ID from Entra ID.

    If you didn't make a note of this earlier, you can retrieve it from the Overview page for the application in Entra ID (see Registering the HYPR Entra ID Application).

    Once set, the only way to change the Client ID is to delete and re-add the integration.
    Client SecretThe client secret value for the Entra ID application

    If you didn't make a note of this earlier, you'll need to go back and generate a new one in Entra ID (see Using a Client Secret).
    Service Account UsernameThe User Principal Name (UPN) for the service account you created in Entra (see Creating a Service Account). For example:

    hyprserviceaccount@YOUR_DOMAIN.onmicrosoft.com
    Service Account PasswordThe permanent password you set for the service account (see Creating a Service Account).
    Create HYPR Conditional Access Policy TemplateEnables the Conditional Access policy template in Entra ID. This policy determines whether or not you will be able to enroll in HYPR. If left unchecked, all affected Entra users will be redirected to HYPR for passwordless enrollment.

    NOTE: If this option is enabled, the Conditional Access Administrator role must also be defined. See Creating a Service Account in this article.

  5. Click Add Integration to begin.

  6. If the setup succeeds, you'll see the Integration Added! confirmation dialog.

  7. You can optionally now register to use HYPR Entra logins yourself by clicking Enroll Myself. You'll be taken to the HYPR Device Manager where you can register your mobile device.



    Self-enrollment

    The Enroll Myself option is only available if your Entra username is the same as your HYPR Control Center username. If they are not the same, you can add yourself to the Integration as a regular user later (see Enrolling Users).

  8. Once you've registered a device, you'll see your username in the list of enrolled users.

Enable, Enroll, and Audit

Continue with the HYPR Integrations common UI experience in the Integrations main page to complete Enabling your integration, enrolling users, and monitoring activity with the integration's Audit Trail.

Frequently Asked Questions

Q: Why are some users missing from the Enroll Users screen when I do Sync with Entra ID?

A: Once the HYPR Entra integration is live, new users added in Entra ID will need to be manually added to the “HYPR Group (Users Not Yet Enrolled)” group via the Entra admin portal in order for them to show up as enrollable in the HYPR Control Center. Each user must also have a First Name, Last Name, and Email address defined in Entra.