Administrator Configuration
This guide covers the common Enterprise Passkey and HYPR integration steps that apply to both Entra-only and Hybrid environments. The core Enterprise Passkey setup process is identical regardless of your device join type.
Before proceeding with this guide, ensure you have completed your environment-specific device join setup:
- Entra-only: Devices are joined directly to Entra ID
- Hybrid: Devices are hybrid-joined (on-prem AD + Entra via Azure AD Connect)
See the Environment Setup guide for details on choosing and setting up your environment type.
Overview
This guide covers the standard Enterprise Passkey/HYPR integration steps:
- Configure Entra ID app registration (for HYPR integration)
- Enable FIDO2/Enterprise Passkey authentication in Entra
- Configure HYPR Control Center™ (feature flags, Entra integration)
- Install HYPR Passwordless for Windows™ on workstations
- Enable FIDO2 security key login on Windows
These steps are identical for both Entra-only and Hybrid environments. The only difference is that hybrid environments must complete hybrid join setup first (see Hybrid Administrator Setup).
If you need to create a new Entra ID tenant or join devices to Entra ID, see the Entra-only Administrator Setup guide for those steps.
Configuring Your Environments
Administrator configuration for Enterprise Passkey + HYPR Passkey lives across three surfaces — Microsoft Entra ID, HYPR Control Center, and HYPR Passwordless for Windows on the user workstation. The end-to-end configuration walkthrough lives in:
- Entra-only environments: Environment Setup (Entra-only) for Microsoft-side prerequisites + tenant configuration, then return here.
- Hybrid (Entra + on-prem AD) environments: Environment Setup (Hybrid) for the Hybrid Azure AD Join setup, then return here.
- Microsoft Entra ID integration: HYPR Entra Integration for the HYPR-side integration setup (tenant connection, app registration, redirect URIs, claim configuration).
- HYPR Enterprise Passkey on Entra: Enterprise Passkey for Microsoft Entra for the passkey-specific configuration in Entra.
- HYPR Passwordless for Windows install + workstation pairing: Installing HYPR Passwordless for Windows.
Deployment-relevant nuances
- Tenant feature flags: HYPR enables the Enterprise Passkey / HYPR Passkey feature flags per tenant — coordinate with your HYPR representative before starting.
- Order matters: complete the environment setup (Entra-only or Hybrid) before HYPR Control Center configuration; complete HYPR Control Center configuration before installing HYPR Passwordless for Windows on user workstations.
- Workstation join state determines available flows: Entra-joined, Entra-Hybrid-joined, and non-domain-joined workstations have different supported sign-in paths — see Supported Sign-In Paths for Enterprise Passkey.
Additional Configuration
Additional optional configuration covers a few deployment-relevant choices outside the core flow:
- Magic Link delivery: configure HYPR Magic Links for Web-to-Workstation registration flows — see Magic Links.
- Workstation Settings toggles: optional behaviors (Require User Presence for Registration, Roaming Users, Offline Mode, Recovery Mode) — see Workstation Settings.
- Save Workstation after first unlock (iOS): an end-user prompt that turns the just-unlocked workstation into a saved tile in the HYPR Mobile App. Controlled by the tenant feature flag
ENABLE_SAVE_WS_QR_PAIRING. - Certificate template configuration: required when the deployment uses certificate-based registration — see Configuring a Custom Certificate Template.
- Feature flags reference: Feature Flags Reference covers the tenant-enablement flags HYPR sets per deployment.
See Also
For more information about HYPR Passwordless for Windows™ functionality, see: