Skip to main content
Version: 11.3.0

Administrator Configuration

This guide covers the common Enterprise Passkey and HYPR integration steps that apply to both Entra-only and Hybrid environments. The core Enterprise Passkey setup process is identical regardless of your device join type.

Prerequisites

Before proceeding with this guide, ensure you have completed your environment-specific device join setup:

  • Entra-only: Devices are joined directly to Entra ID
  • Hybrid: Devices are hybrid-joined (on-prem AD + Entra via Azure AD Connect)

See the Environment Setup guide for details on choosing and setting up your environment type.

Overview

This guide covers the standard Enterprise Passkey/HYPR integration steps:

  1. Configure Entra ID app registration (for HYPR integration)
  2. Enable FIDO2/Enterprise Passkey authentication in Entra
  3. Configure HYPR Control Center™ (feature flags, Entra integration)
  4. Install HYPR Passwordless for Windows™ on workstations
  5. Enable FIDO2 security key login on Windows

These steps are identical for both Entra-only and Hybrid environments. The only difference is that hybrid environments must complete hybrid join setup first (see Hybrid Administrator Setup).

Entra Tenant Setup

If you need to create a new Entra ID tenant or join devices to Entra ID, see the Entra-only Administrator Setup guide for those steps.

Configuring Your Environments

Administrator configuration for Enterprise Passkey + HYPR Passkey lives across three surfaces — Microsoft Entra ID, HYPR Control Center, and HYPR Passwordless for Windows on the user workstation. The end-to-end configuration walkthrough lives in:

Deployment-relevant nuances

  • Tenant feature flags: HYPR enables the Enterprise Passkey / HYPR Passkey feature flags per tenant — coordinate with your HYPR representative before starting.
  • Order matters: complete the environment setup (Entra-only or Hybrid) before HYPR Control Center configuration; complete HYPR Control Center configuration before installing HYPR Passwordless for Windows on user workstations.
  • Workstation join state determines available flows: Entra-joined, Entra-Hybrid-joined, and non-domain-joined workstations have different supported sign-in paths — see Supported Sign-In Paths for Enterprise Passkey.

Additional Configuration

Additional optional configuration covers a few deployment-relevant choices outside the core flow:

  • Magic Link delivery: configure HYPR Magic Links for Web-to-Workstation registration flows — see Magic Links.
  • Workstation Settings toggles: optional behaviors (Require User Presence for Registration, Roaming Users, Offline Mode, Recovery Mode) — see Workstation Settings.
  • Save Workstation after first unlock (iOS): an end-user prompt that turns the just-unlocked workstation into a saved tile in the HYPR Mobile App. Controlled by the tenant feature flag ENABLE_SAVE_WS_QR_PAIRING.
  • Certificate template configuration: required when the deployment uses certificate-based registration — see Configuring a Custom Certificate Template.
  • Feature flags reference: Feature Flags Reference covers the tenant-enablement flags HYPR sets per deployment.

See Also

For more information about HYPR Passwordless for Windows™ functionality, see: