Administrator Configuration

This guide covers the common Enterprise Passkey and HYPR integration steps that apply to both Entra-only and Hybrid environments. The core Enterprise Passkey setup process is identical regardless of your device join type.

Prerequisites

Before proceeding with this guide, ensure you have completed your environment-specific device join setup:

• Entra-only: Devices are joined directly to Entra ID
• Hybrid: Devices are hybrid-joined (on-prem AD + Entra via Azure AD Connect)

See the Environment Setup guide for details on choosing and setting up your environment type.

Overview

This guide covers the standard Enterprise Passkey/HYPR integration steps:

1. Configure Entra ID app registration (for HYPR integration)
2. Enable FIDO2/Enterprise Passkey authentication in Entra
3. Configure HYPR Control Center™ (feature flags, Entra integration)
4. Install HYPR Passwordless for Windows™ on workstations
5. Enable FIDO2 security key login on Windows

These steps are identical for both Entra-only and Hybrid environments. The only difference is that hybrid environments must complete hybrid join setup first (see Hybrid Administrator Setup).

Entra Tenant Setup

If you need to create a new Entra ID tenant or join devices to Entra ID, see the Entra-only Administrator Setup guide for those steps.

Configuring Your Environments

Preparing Entra ID App Registration

This step configures Entra ID to prepare it for HYPR Control Center™ integration. You'll need to create an app registration and configure the necessary API permissions.

Prerequisites

You should have an Entra ID tenant that you're an admin on, with some users that you can test with. This builds on the previous steps of creating the tenant and users. Make sure you are logged in to an admin account on your tenant to continue the setup.

1. Create App Registration

   • Navigate to App registrations in your Entra ID tenant

   • Click New registration

     

   • Name: Enter a descriptive name (e.g., "HYPR Integration")

   • Supported account types: Select appropriate option

   • Redirect URI: In the Redirect URI field, paste https://login.microsoftonline.com/common/oauth2/nativeclient. This value is required for the HYPR Enterprise Passkey / HYPR Passkey integration to work correctly.

   • Click Register

     

   • Once you have created your application, take note of its name, application (client) ID, and tenant (directory) ID; these will be required later on to link it to your HYPR tenant.

     

2. Generate Client Secret

   • Go to Certificates & secrets

   • Click New client secret

     

   • Description: Enter a description for the secret

   • Expires: Select a suitable time period for the expiration of the secret

   • Click Add

   • Important: Once your secret has been created, copy and save the secret value immediately (you'll need this along with the other details you saved previously to complete the link to the HYPR tenant)

     

3. Configure Delegated Permissions

   • Navigate to API permissions

   • Click Add a permission

     

   • Select Microsoft Graph

   • Choose Delegated permissions

     

   • Search for and tick the required delegated permissions:

     • Directory.ReadWrite.All
     • Policy.ReadWrite.AuthenticationMethod
     • User.Read
     • UserAuthenticationMethod.ReadWrite.All

   • Click Add permissions

4. Configure Application Permissions

   • Click Add a permission again
   • Select Microsoft Graph
   • Choose Application permissions
   • Search for and tick all of the required application permissions:
     • Application.ReadWrite.All
     • Group.Create
     • Group.ReadWrite.All
     • GroupMember.ReadWrite.All
     • Policy.Read.All
     • User.ReadWrite.All
     • UserAuthenticationMethod.ReadWrite.All
     • UserAuthMethod-Passkey.ReadWrite.All
   • Click Add permissions
   Both Permission Types Required

   Both Delegated and Application permissions are required for UserAuthenticationMethod.ReadWrite.All. These are separate permissions that must be selected independently—even though they share the same name, they serve different purposes and both are necessary for Enterprise Passkey to function correctly. Removing either the Delegated or Application permission will break registration and authentication.

5. Grant Admin Consent

   • Click Grant admin consent for both Delegated and Application permissions

     

   Verify that all required permissions are granted:

   • Delegated permissions:

     • Directory.ReadWrite.All
     • Policy.ReadWrite.AuthenticationMethod
     • User.Read
     • UserAuthenticationMethod.ReadWrite.All

   • Application permissions:

     • Application.ReadWrite.All
     • Group.Create
     • Group.ReadWrite.All
     • GroupMember.ReadWrite.All
     • Policy.Read.All
     • User.ReadWrite.All
     • UserAuthenticationMethod.ReadWrite.All
     • UserAuthMethod-Passkey.ReadWrite.All

Save Credentials

Make sure to save the Application (client) ID, Directory (tenant) ID, and Client secret as you'll need these for the HYPR Control Center™ configuration. The client secret and the API permissions should enable you to create your HYPR integration.

6. Enable FIDO2 Authentication Methods

The last step is to enable FIDO2 security keys as an authentication method:

• Navigate to Authentication methods > Policies

• Select FIDO2 Security Key

  

• Click Enable

• Click Save

  

Authentication Methods

This step enables FIDO2 security keys as an authentication method in your Entra ID tenant, which is required for HYPR Enterprise Passkey functionality. This completes the Entra ID configuration required for HYPR Enterprise Passkey integration.

Configuring HYPR Control Center™

This step configures all the feature flags and settings required for HYPR Enterprise. You'll need your application's client ID, tenant ID, and client secret from the previous step.

Prerequisites

If you haven't completed the Entra ID app registration step, please do that first and then come back to this step. You need the client ID, tenant ID, and client secret that you saved earlier.

Feature Flag Enablement

Feature flags in HYPR Control Center™ are configured at the tenant level by HYPR. Contact your HYPR representative or HYPR Support to confirm that all required flags are enabled for your tenant before proceeding. The lists below are provided for reference when coordinating with HYPR.

1. Confirm global feature flags with HYPR

   The following global feature flags must be enabled on your tenant. Contact your HYPR representative to verify these are in place:

   Required global feature flags

   • AZURE_IDP_INTEGRATION
   • AZURE_NATIVE_LOGIN
   • AZURE_PROVISION_API
   • FIDO2_MOBILE_3PPP_ENABLED
   • ENABLE_SAVE_WS_QR_PAIRING — Required for Unified Single Registration Experience for Enterprise Passkeys
   • FIDO2_MOBILE_AUTHENTICATOR
   • HYPR_LINKS
   • QR_DYNAMIC_LINK — Applicable to HYPR versions prior to 11.1 only. In 11.1 and later, this functionality is provided by HYPR_LINKS.
   • RP_APP_WORKSTATION_ENABLED
   • VIRTUAL_DESKTOP_INFRASTRUCTURE — Required if you want roaming logins to be enabled
   • WEB_LOGIN_WITH_WFA_REGISTRATION
   • WINDOWS_WEB_ENROLLMENT
   • ANDROID_BIOMETRIC_PROMPT_SECURITY
   • ENDPOINT_API_SECURITY_TOKEN_DEVICE — Required for device security token operations
   • ENDPOINT_API_SECURITY_TOKEN_WORKSTATION — Required for workstation security token operations

2. Confirm RP app feature flags with HYPR

   The following flags must also be enabled per Enterprise Passkey RP app (not globally). Contact your HYPR representative to confirm these are set for each relevant app:

   Required RP app feature flags

   • AZURE_IDP_INTEGRATION
   • AZURE_NATIVE_LOGIN
   • AZURE_PROVISION_API
   • ENDPOINT_API_SECURITY_TOKEN_DEVICE
   • ENDPOINT_API_SECURITY_TOKEN_WORKSTATION
   • FIDO2_MOBILE_AUTHENTICATOR
   • FIDO2_MOBILE_3PPP_ENABLED
   • ENABLE_SAVE_WS_QR_PAIRING — Required for Unified Single Registration Experience for Enterprise Passkeys
   • ANDROID_BIOMETRIC_PROMPT_SECURITY
   • RP_APP_WORKSTATION_ENABLED
   • VIRTUAL_DESKTOP_INFRASTRUCTURE — Enable for this RP app if you want roaming logins to be enabled

HYPR Passkey Feature

The FIDO2_MOBILE_3PPP_ENABLED flag enables HYPR Passkey on supported mobile platforms, which differs from regular Enterprise Passkey in several key ways:

What the HYPR Passkey Feature Offers:

• The HYPR Mobile App acts as a native passkey provider on iOS and Android
• Enables Windows OS and browser sign-in with synced, end-to-end encrypted passkeys
• HYPR automatically creates the Entra passkey during setup based on your signed-in Windows/Entra identity
• No separate registration in the Entra portal is required

Key Differences from Regular Enterprise Passkey:

• Simplified Setup: Previously, pairing a workstation to a HYPR Enterprise Passkey required additional steps involving Entra. With HYPR Passkey, HYPR creates the Entra passkey during setup automatically.
• Session Passkey SSO: Provides session passkey SSO after desktop login and QR-based fallback when proximity cannot be established
• One Passkey Per Device: Supports only one Entra passkey per device (other FIDO2 passkeys may coexist)
• Identity Alignment: The Windows account/Entra tenant you use during pairing determines which Entra identity the passkey is created for

Prerequisites for HYPR Passkey:

• The HYPR Mobile App (current version) with device biometrics enabled for users
• HYPR Passwordless for Windows™ 10.5.0+ on the user's Entra-joined or hybrid-joined workstation
• Network connectivity and Bluetooth/proximity; mobile camera permission enabled for QR

Important HYPR Passkey Considerations:

• One Entra Passkey Limit: The HYPR Mobile App supports only one Entra passkey credential per device
• Credential Provider: Users must enable the HYPR Mobile App as a passkey provider in their phone's system settings before pairing. On Android: Settings → Security and privacy → Passwords, passkeys, and autofill → enable the HYPR toggle. On iOS: Settings → General → Passwords → enable the HYPR toggle. See Installing the HYPR Mobile App for full instructions.
• Biometrics Required: Using a HYPR Enterprise Passkey requires mobile device biometrics to be enabled
• Identity Verification: Confirm the Windows user and Entra tenant are correct before pairing (check whoami /upn)
• Managed Devices: Ensure MDM policies don't block passkey providers, Bluetooth proximity, camera access, or associated domains

Unified Single Registration Experience for Enterprise Passkeys configuration

If you want users to be able to save workstations after QR-based workstation sign-in, make sure with your HYPR representative that the feature flags required for Unified Single Registration Experience for Enterprise Passkeys (including ENABLE_SAVE_WS_QR_PAIRING) are enabled for the relevant web and workstation rpApps in HYPR Control Center.

4. Create Entra ID Integration

   • Once the feature flags have been updated for your HYPR tenant, navigate to Integrations in the menu on the left and click Add New Integration

     

   • Select Microsoft Entra ID

   • Choose Native Microsoft Android Login Experience and click Next

     

   • Specify the credentials and client secret of your Entra ID application that you saved earlier in the following:

     • Application Name
     • Client ID
     • Client Secret

   • Click Add Integration

     

If your credentials have been specified correctly, you will be notified that the integration has been added successfully.

Click Maybe Later to close the dialog box.

5. Confirm Web RP App feature flags with HYPR

   The following flags must be enabled for your Web RP App only (not globally). Contact your HYPR representative to confirm these are configured:

   Required Web RP App feature flags

   • ASYNC_REGISTRATION
   • WEB_TO_WS_SINGLE_REGISTRATION_TRANSLATION
   • ENABLE_SAVE_WS_QR_PAIRING — Required if you want the web RP app to support saving workstations after QR-based sign-in

   ASYNC_REGISTRATION dependency

   Enabling ASYNC_REGISTRATION for a web RP app requires RP_APP_WORKSTATION_ENABLED to be temporarily disabled on that app first, then re-enabled after. Confirm with your HYPR representative that both ASYNC_REGISTRATION and RP_APP_WORKSTATION_ENABLED are enabled on the web RP app once configuration is complete.

Once you have completed the steps above, in the HYPR Control Center™, select your integration in Integrations and click Enable.

Additional Configuration

Enabling Windows FIDO2 Security Key Login

This step configures Windows to enable FIDO2 security key login via a registry key.

Current State

You should be signed in to your Entra ID tenant with your account. Prior to this change, you'll only see the password tile and Windows Hello tile on the Windows login screen. As part of this step, we will enable a third, security key tile to be added to this selection, which will be used for the HYPR Enterprise Passkey login.

1. Access Registry Editor

   • Open Registry Editor as Administrator
   • Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
   • In this folder, create a new folder called "FIDO" and navigate to it.

2. Create Registry Key

   • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FIDO, right-click in the right pane
   • Select New > DWORD (32-bit) Value
   • Name: EnableFIDODeviceLogon
   • Set value to 1

3. Alternative: Command Line Method

   • Open Command Prompt as Administrator
   • Run: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f

4. Restart Computer

   • Restart the Windows machine to apply the registry changes
   • After restart, you should see the FIDO2 Security Key tile at the login screen

Installing HYPR Passwordless for Windows™

This step installs HYPR Passwordless for Windows™ on your Windows machine that has been joined to your Entra ID domain.

Prerequisites

You should have previously joined your Windows machine to your Entra ID domain, configured your HYPR Control Center™ tenant, and installed the HYPR Mobile App on your mobile device. On your workstation, you should be signed in as a regular user on your Entra domain.

1. Download HYPR Passwordless for Windows™

   • Log in to HYPR Control Center™ (in standard mode)

   • Navigate to Workstation > Desktop Clients

   • Click Download for Windows

   • Download the zip file containing both the MSI installer and hypr.json configuration file

     

Installation Files

Make sure that you only install HYPR using the downloaded files from this particular page. Using any other installation JSON file may break your setup, as your HYPR installation may ingest incorrect client and tenant IDs for your Entra ID application, among others.

2. Prepare Installation

   • Unzip the downloaded installation folder
   • Ensure both of the unzipped files (the MSI file and hypr.json) are in the same directory
   • Verify that the MSI file is at least version 10.5.0 (10.5.2 or later recommended)
   • The hypr.json file contains all the configuration needed to deploy to your specific tenant

3. Install HYPR Passwordless for Windows™

   • Right-click the MSI installer
   • Select Install (requires administrator privileges)
   • Accept the terms and conditions
   • Enter local administrator credentials when prompted
   • Complete the installation

4. Restart and Verify Installation

   • After installation, restart the computer

   • At the Windows login screen, you should now see:

     • Password tile (existing)
     • Windows Hello tile (existing)
     • FIDO2 Security Key tile (new)
     • HYPR credential provider (new)
     

5. Test User Experience

   • Users can now scan the QR code with the HYPR Mobile App to log in

   • The Start Pairing button allows new users to register their devices

   • You can create a new HYPR registration from within the HYPR Mobile App by clicking Start Pairing and scanning the QR code with your phone

     

HYPR Passwordless for Windows™

After pairing, HYPR Passwordless for Windows™ enables passwordless login to Windows workstations using the HYPR Mobile App as a security key. This completes the HYPR passwordless setup.

See Also

• User Experience
• Troubleshooting

For more information about HYPR Passwordless for Windows™ functionality, see:

• HYPR Passwordless and the HYPR Mobile App
• Accessing Remote Desktop
• Allowing Passwordless Run As