Skip to main content
Version: 10.5.0

Environment Setup Overview

Choose the environment setup that matches your domain and device architecture. This page explains the two supported environment types for deploying Enterprise Passkey (EPK) with HYPR Passkey.

Important: Core EPK Setup is the Same

The core Enterprise Passkey setup process is identical for both Entra-only and Hybrid environments. Both require:

  • Microsoft Entra ID tenant with verified domains and users
  • HYPR Control Center™ integration with Entra (app registration, API permissions)
  • Required feature flags enabled (e.g., FIDO2_MOBILE_AUTHENTICATOR, AZURE_PROVISION_API)
  • FIDO2/EPK authentication enabled in Entra
  • Device and user registration via HYPR mobile app

The only difference is how Windows workstations are joined to your domain:

Entra-only Environment

Use this path for cloud-first environments with Windows devices joined directly to Microsoft Entra ID (formerly Azure AD), without on-premises Active Directory or PKI dependencies.

  • Device Join Type: Azure AD Join (direct to Entra)
  • User Account Type: Cloud-only Entra accounts
  • Device Join Process: Join directly to Entra via Settings > Accounts > Access work or school
  • Infrastructure: No on-prem AD, PKI or Kerberos requirements
  • Best for: Simpler deployments and cloud-managed fleets

Go to Entra-only Administrator Setup →

Hybrid Environment

Use this path for environments that include on-premises Active Directory, where devices are hybrid-joined to Entra ID and require certificate/Kerberos support.

  • Device Join Type: Hybrid Azure AD Join (on-prem AD + Entra via Azure AD Connect)
  • User Account Type: Hybrid accounts (synced from AD) or cloud-only accounts
  • Device Join Process: Join to on-prem AD first, then configure Hybrid Azure AD Join via Azure AD Connect
  • Infrastructure: On-prem AD with Azure AD Connect; Kerberos and certificate considerations
  • Best for: Enterprises integrating existing AD with Entra

Go to Hybrid Administrator Setup →

Setup Order

For Entra-only: Complete device join to Entra, then proceed with common EPK/HYPR integration steps.

For Hybrid: Complete hybrid join process first (Azure AD Connect setup, hybrid join configuration, device domain-join), then proceed with common EPK/HYPR integration steps.

What to do next

After completing your environment-specific device join setup, continue with the Administrator Configuration for the common HYPR Control Center™ integration and EPK setup steps.

Proceed to Administrator Configuration →