Skip to main content
Version: 10.3.0

Find out Which Integration Type Best Suits Your Business

HYPR offers multiple ways to integrate with Microsoft Entra ID (formerly Azure AD). Each integration type serves different use cases and requirements.

HYPR Login Experience in CC

Use case

Integrating HYPR with Entra ID lets you access your organization's Entra ID-protected applications (such as Office 365) using HYPR's passwordless authentication instead of the standard username + password login. This integration leverages federation and requires at least a Microsoft Entra ID P1 subscription.

What will be the end result of completing this guide?

After completing this integration, enrolled users will no longer need to provide a password to login to Entra. After providing their username on the Entra sign in screen, they'll be redirected to the HYPR passwordless authorization flow. Essentially, HYPR intercepts the default Entra login process and replaces the password step with a more secure passwordless access. Non-enrolled users will be prompted to enter their Entra password after they click Sign In on the HYPR login screen.

Configuring the solution

The configuration involves setting up both the Entra ID side and the HYPR side of the integration:

Entra ID Setup:

  1. Register the HYPR Entra ID Application with name "HYPRAuthApp"
  2. Grant required API permissions (Directory.AccessAsUser.All)
  3. Set application-level scope with User.Read scope
  4. Create a client secret for authentication
  5. Create a service account on the onmicrosoft.com domain with required roles (Application administrator, Directory writers, Domain Name Administrators, Conditional Access administrator)
  6. Create a custom domain if needed

HYPR Control Center Setup:

  1. Add new Microsoft Entra ID integration
  2. Select "HYPR Login Experience" option
  3. Provide application name, domain name, tenant ID, client ID, client secret, and service account credentials
  4. Optionally enable HYPR Conditional Access Policy Template

Validating and testing the solution

To validate the integration:

  1. Verify the integration appears in the HYPR Control Center Integrations list
  2. Test self-enrollment by clicking "Enroll Myself" if your Entra username matches your HYPR Control Center username
  3. Register a device through the HYPR Device Manager
  4. Verify enrolled users appear in the integration's user management list
  5. Test the login flow by accessing an Entra ID-protected application
  6. Monitor the integration's Audit Trail for user activity

Deployment strategy and risk mitigation

For production deployment:

  1. Start with a pilot group of users to test the integration
  2. Communicate the new login process to end users before enabling the integration
  3. Ensure all required Entra ID licenses (P1) are assigned to test accounts
  4. Monitor the "Users Not Yet Enrolled" group in Entra ID for new users
  5. Have a rollback plan in case issues arise during deployment
  6. Consider implementing the Conditional Access Policy Template to control enrollment

Find out more →

HYPR Enterprise Passkey

Use case

HYPR Enterprise Passkey (a.k.a. the FIDO2 Mobile Authenticator pattern) enables your HYPR Mobile App-enabled device to act as a FIDO2 security key when authenticating through Microsoft Entra. This integration is currently in beta and supports various workstation setups including non-domain-joined, on-premises Active Directory, Entra Domain-joined, and Hybrid Entra Domain-joined environments.

What will be the end result of completing this guide?

After completing this integration, users who have been successfully enrolled via HYPR Passwordless will have their Enterprise Passkey automatically enrolled into Entra ID. When signing in to Entra ID on the browser, after entering their username users can authenticate with HYPR Enterprise Passkey by selecting security key. When logging into Windows, users will tap on their computer account on their HYPR Mobile application to sign in. The integration leverages Entra ID FIDO2 Provisioning API for seamless enrollment.

Configuring the solution

The configuration involves multiple steps:

Entra ID Setup:

  1. Register the HYPR Entra ID Application with required API permissions (Directory.AccessAsUser.All, UserAuthenticationMethod.ReadWrite.All)
  2. Create client secret or certificate for authentication
  3. Enable Security Keys in the Entra tenant with proper FIDO2 settings
  4. Enable Security Keys in Intune for Windows workstation support

HYPR Control Center Setup:

  1. Add new Microsoft Entra ID integration
  2. Select "Native Microsoft Entra Login Experience" for FIDO2 Mobile Authenticator
  3. Provide application name, tenant ID, client ID, and credentials
  4. Enable the integration after successful setup
  5. Configure and download the desktop client for Windows workstations

Workstation Requirements:

  • Windows OS (macOS not yet supported)
  • Entra domain-joined or hybrid-joined VMs or physical machines
  • HYPR Passwordless client installed
  • Proper patch levels and AES256_HMAC_SHA1 enabled for hybrid environments

Validating and testing the solution

To validate the integration:

  1. Verify the integration is enabled in HYPR Control Center
  2. Check that HYPR groups are created in Entra (Eligible for Pairing, Client Paired with HYPR, Client Paired with Entra)
  3. Test pairing a HYPR Enterprise Passkey on a supported workstation
  4. Verify users can authenticate to Entra ID using the security key option
  5. Test Windows login using the HYPR Mobile app
  6. Monitor user management states (Paired with HYPR, Paired with Entra)

Deployment strategy and risk mitigation

For production deployment:

  1. Ensure workstation OS patch level requirements are met
  2. Verify domain controller patch levels for hybrid environments
  3. Test with a pilot group of users across different workstation configurations
  4. Communicate the new authentication method to end users
  5. Have a rollback plan for workstation configurations
  6. Monitor known issues and FAQs from Microsoft regarding FIDO2 security keys
  7. Consider administrative account limitations and additional configuration requirements

Find out more →

External Authentication

Use case

Integrating HYPR with Entra ID via External Authentication Methods (EAM) lets you access your organization's Entra ID-based applications (such as Office 365) using HYPR passwordless authentication as a phishing resistant multi-factor authentication method. This integration is currently in beta and is part of Microsoft's EAM public preview launched in May 2024.

What will be the end result of completing this guide?

After completing this integration, users who have been successfully enrolled via the HYPR Device Manager can fulfill multi-factor authentication requirements through HYPR. After providing their username on the Entra ID sign in screen and authenticating with their password, they'll be redirected to the HYPR passwordless authorization flow. Then they can use their registered HYPR authenticator to complete the login process and get back to Entra ID. This provides an additional layer of security while maintaining the familiar Entra ID login experience.

Configuring the solution

The configuration involves setup on both sides:

Entra ID Setup:

  1. Register the HYPR Entra ID Application with required API permissions (openid, Policy.ReadWrite.AuthenticationMethod, profile, User.ReadWrite.All, Directory.ReadWrite.All)
  2. Create client secret or certificate for authentication
  3. Configure application authentication with web redirect URI
  4. Create External Authentication Method with proper discovery endpoint
  5. Enable MFA for the target user group
  6. Set Conditional Access Policies requiring multifactor authentication

HYPR Control Center Setup:

  1. Add new Microsoft Entra ID integration
  2. Select "Microsoft Entra ID External Authentication Method"
  3. Provide application name, tenant ID, client ID, and credentials
  4. Complete the integration setup

Final Entra ID Configuration:

  1. Configure application authentication with HYPR redirect URL
  2. Create External Authentication Method with HYPR discovery endpoint
  3. Enable MFA for the HYPR EAM group
  4. Set Conditional Access Policies targeting the group

Validating and testing the solution

To validate the integration:

  1. Verify the integration appears in HYPR Control Center
  2. Test self-enrollment if username matches HYPR Control Center username
  3. Register a device through HYPR Device Manager
  4. Verify enrolled users appear in the integration's user management list
  5. Test the MFA flow by accessing an Entra ID-protected application
  6. Verify users are redirected to HYPR for second-factor authentication
  7. Monitor the integration's Audit Trail for authentication events

Deployment strategy and risk mitigation

For production deployment:

  1. Start with a pilot group of users to test the MFA flow
  2. Communicate the new MFA process to end users
  3. Ensure all required Entra ID licenses (P1) are assigned
  4. Test Conditional Access Policies in report-only mode first
  5. Monitor the "Users Not Yet Enrolled" group in Entra ID
  6. Have a rollback plan for MFA policies
  7. Consider user communication plan for the new authentication flow

Find out more →