Mobile EPCS with Epic Haiku and Canto

System Requirements

  • The latest version of the Imprivata ID mobile app on the Apple App Store or Google Play

  • Imprivata G4 appliance

  • Connection from Imprivata appliance to Imprivata Cloud Platform

  • Enterprise Access Management for EPCS and Mobile EPCS licenses

  • The latest version of Epic Haiku or Canto mobile app

Mobile EPCS

Minimum Supported Versions (for customers who purchased Mobile EPCS on or before April 1, 2025)

  • Imprivata Confirm ID ID 24.1 or later

  • Epic May 2024 and later.

  • Epic Special Update Versions

    • February 2024 with SU E10804032

    • November 2023 with SU E10708512

    • August 2023 with SU E10611502

Minimum Supported Versions (for customers who purchased Mobile EPCS after April 1, 2025)

  • Imprivata Enterprise Access Management 25.1 or later (ImprivataCloud Platform tenant is required for Mobile EPCS with 25.1)

  • Epic May 2024 and later.

  • Epic Special Update Versions

    • February 2024 with SU E10804032

    • November 2023 with SU E10708512

    • August 2023 with SU E10611502

Restrictions

  • Face recognition is available only for institutionally identity proofed providers; individually identity proofed providers (DigiCert identity proofing) can use a hard token and password on both iOS and Android.

  • In Active Directory, both First Name and Last Name fields are required before syncing users with Enterprise Access Management.

Geographic Availability

Mobile EPCS is available in all US states.

Configure Integration To Support EPCS

Imprivata Enterprise Access Management (formerly Imprivata Confirm ID) supports two-factor authentication for mobile EPCS with Epic Haiku and Canto. Before configuring mobile EPCS, configure the Enterprise Access Management integration with Epic Haiku and Canto. See Integrate Your EMR Application.

CAUTION:

If Epic Haiku and Canto has previously been added as an app, it must be removed and re-added to properly configure the username format. After you have removed the integration, re-add the integration with the proper username format as described here.

  1. In the Imprivata Admin Console, go to Applications > EPCS and clinical workflows integrations.

  2. On the EPCS and clinical workflows integrations page, go to the Applications section and click Add an application.

  3. Select Epic Haiku and Canto.

  4. Select the username format used by Epic Haiku and Canto.

    The Epic username format can be found in the Login domain field in Epic (EMP item 49).

    The option for NetBIOS format usernames (for example, domain\user) is only available with Imprivata Confirm ID 24.1 and later.

    With earlier versions, email format usernames is the default. Confirm you are using the proper format.

  5. If the Imprivata signed certificate for the enterprise is already installed, click OK.

    If the Imprivata signed certificate for the enterprise is not installed, browse to locate the IMPCVF file.

  6. Click OK.

  7. Your EMR application is listed with the expiration date of the certificate. You can update or remove the certificate directly on this page.

    NOTE:

    NOTE: To complete this activation, the Imprivata appliance must have access to the Internet via HTTPS, and the connection to the Imprivata cloud must be completed. See Set Up Enterprise.

    After you have configured the Epic Haiku and Canto integration, then in the Imprivata Admin Console, on the EPCS and clinical workflows integrations page, the row for Epic Haiku and Canto lists the Imprivata Integration URL, the Imprivata cloud unique Tenant ID for your enterprise, and a SAML Issuer URL.

Configure Workflow Policy For Mobile EPCS

Any users already enabled for EPCS are now enabled for Mobile EPCS with Epic Haiku and Canto.

Configure Mobile EPCS authentication methods:

  1. In the Imprivata Admin Console, go to UsersWorkflow Policy.

  2. On the Workflow policy page > EPCS Workflows section, select mobile authentication methods.

  3. In the EPCS workflows section, go to Associate user policies and confirm the user policies associated with this workflow.

  4. Click Save.

Epic Configuration

Create a new Authentication Device (E0G) record in Chronicles:

  1. On the General Settings screen, set Platforms to Mobile.

  2. On the Mobile Settings screen, set Mobile auth type to SAML.

  3. On the SAML Auth Settings screen, set the following values:

    • Web Form Base URL: https://confirmidauth.cloud.imprivata.com/SAML2/SSO/Redirect

    • External App Base URL: https://confirmidauth.cloud.imprivata.com/iid

    • Organization ID: This can be found on the Imprivata Admin Console > EPCS and clinical workflows integrations page > Epic Haiku and Canto row > Tenant ID

    • External App iOS App Store URL: https://apps.apple.com/us/app/imprivata-id/id991327711

  4. On the Web Device Settings screen, set the following values:

    • Token Type: SAML 2

    • SAML Issuer: This can be found in the Imprivata Admin Console > EPCS and clinical workflows integrations page > Epic Haiku and Canto row > SAML Issuer URL

    • SAML Key File: This is the path (in UNIX format) to the certificate file downloaded for Epic Haiku and Canto from the Imprivata Admin Console > EPCS and clinical workflows integrations page.

Specify that Imprivata performs Two Factor Authentication in Hyperspace

  1. Depending on your platform, there's two different paths:

    • Hyperdrive — Open the Authentication Administration activity, select the active configuration, and open the Authentication Device Factor Administration tab.

    • Classic Client — Open the Login Device Factor Administration activity.

  2. Enter the Authentication Device (E0G) record you created for Imprivata in the left column and the number 2 in the right column.

Configure the Authentication Workflow in Hyperspace

  1. Open the Authentication Administration activity and select the active configuration.

  2. Open the tab for the level in the facility hierarchy to which you want to apply the new device record (most likely the System level).

  3. Select or add workflow context Mobile E-Prescribing Controlled Medications - First Context [5141] in the left-hand table.

  4. Enter the Authentication Device (E0G) record you created for Imprivata as the Primary Device in the top-right table.

Verify User Build in Hyperspace

  1. Make sure that all users which need access to mobile EPCS have their username from your directory system entered in the System Login field (EMP item 45). This should typically be the SAM Account Name. Support for use of User Principal Name is supported as of Epic version August 2024.

  2. If the System Login field contains the SAM Account Name, the Login Domain field (EMP item 49) must be set to your organization's domain name. This might be set in individual user records or applied using linkable templates. Typically, the Login Domain is expected to be the NetBIOS domain name, but it can also be set to the organization's full domain name, for example, including ".COM", ".ORG", ".EDU", and so on, if needed. This should be the same domain name that Imprivata uses, which can be found in the Imprivata Admin Console.

Optional — Face Authentication

Requirements

  • Face recognition authentication requires an Authentication Management license and a Remote Access license.

  • Users in a policy enabled for facial biometric must be synced from Active Directory (AD) to Entra ID.

  • The endpoint computers can be AD-only, as well as the Entra ID configurations described here.

  • Users must be synced from AD to Entra ID with Entra Connect or maintained in Entra ID only.

  • Each user in scope for the Face recognition workflow must exist within Entra ID, and each user must also be allocated a Microsoft Entra ID license P1 or higher.

  • Internet access is required for face recognition authentication. If the endpoint cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. The connection between the endpoint and your Imprivata appliance is not required.

  • A 1080p camera must be installed and enabled at the endpoint computer. Modern cameras capable of handling Zoom video conferencing are sufficient.

Configure the Connection to the Imprivata Cloud Platform

Enabling Face recognition requires a connection to the Imprivata Cloud Platform. You need the following to complete the configuration:

  • Access to the Imprivata Appliance Console.

  • Access to the Imprivata Admin Console.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

NOTE:

If you have already configured a connection to the Imprivata Cloud Platform, you can skip this step.

Before you begin:

  • Determine if a connection to the Imprivata Cloud Platform has already been configured by logging into the Imprivata Admin Console. The status of the connection is available in the Status panel on the right-hand side. A green check mark for Access Management integration indicates a connection has been configured.

  • If you need to configure the connection, contact Imprivata Services. Imprivata Services will create an Imprivata Cloud Platform tenant for your enterprise, and send a Welcome email with a link to the Imprivata Access Management setup. Click the link in the email and follow the setup to configure the connection.

Complete the following steps to use the Imprivata Access Management setup to configure the connection. To complete the configuration, you need the following:

  • Access to the Imprivata Appliance Console.

  • Access to the Imprivata Admin Console.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

Add the Required Hosts to Your Firewall Allowlist

Ensure that your firewall policy is configured to allow communication between the Imprivata appliances and the production Imprivata Cloud Platform.

Add the following hosts to your firewall allowlist:

  • <tenantID>.sys.imprivata.com

  • astra.sys.imprivata.com

  • <tenantID>.access.imprivata.com

  • access.imprivata.com

  • metadata.app.imprivata.com

  • file-access.app.imprivata.com

  • idp.app.imprivata.com

Consider the following:

  • For non-US regions, replace the .com with the appropriate domain suffix for your region, for example, *.sys.imprivata.eu.

  • You can locate your Imprivata Cloud Platform tenant ID by clicking the link to the Imprivata Access Management setup in the welcome email. The tenant ID appears in the URL. For example:

Start the Imprivata Cloud Connect Service

By default, the Imprivata Cloud Connect service is disabled. You must enable the service before configuring the connection to the Imprivata Cloud Platform.

To start the service:

  1. In the Imprivata Appliance Console, go to System > Operations.

  2. Locate Imprivata Cloud Connect, and click Stop/restart options.

  3. Select Restart Imprivata Cloud Connect on all appliances, and click Go.

Copy your Enterprise Integration ID

Using the Imprivata Admin Console, copy your enterprise integration ID. You require this value to use the Imprivata Cloud Tenant Setup wizard to create an integration token.

To copy your integration ID:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

    NOTE:

    A status message of Unable to verify integration. Unable to connect to Imprivata Access Management is expected.

  2. Copy the enterprise integration ID to your clipboard.

  3. Do not log out. You finish configuring the connection here after using the Imprivata Cloud Tenant Setup wizard to create the integration token.

NOTE:

For more information on starting the Imprivata Cloud Connect service, see Stop and Restart This Connection.

Create the Integration Token

Using the Imprivata Access Management setup, enter your enterprise integration ID to create an integration token. This token is required to finish configuring the connection in the Imprivata Admin Console.

To create the integration token:

  1. Open the Imprivata Access Management setup.

  2. If you have not already, agree to the Cloud Features Agreement and enter information about your organization.

  3. Go to the Connect to Enterprise Access Management screen, and paste the integration ID into Enterprise integration ID.

  4. Click Create integration token and copy it.

  5. Return to the Imprivata Admin Console to finish configuring the connection.

Complete the Connection

Using the Imprivata Admin Console, finish configuring the connection to the Imprivata Cloud Platform using the integration token you created.

To finish the configuration:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

  2. Paste the integration token, and click Integrate.

  3. Select Administrator console single sign-on using SAML.

    This setting is required to enable SSO access to your administrator consoles in the Imprivata Access Management portal.

If you have previously configured an identity provider (IdP) for access to the Imprivata Access Management portal (access.imprivata.com), you can create an integration token from the Imprivata Access Management portal instead of having to use the Imprivata Cloud Platform Tenant setup. To complete the configuration, you need the following:

  • Access to the Imprivata Admin Console.

  • Access to the Imprivata Access Management portal.

Start the Imprivata Cloud Connect Service

By default, the Imprivata Cloud Connect service is disabled. You must enable the service before configuring the connection to the Imprivata Cloud Platform.

To start the service:

  1. In the Imprivata Appliance Console, go to System > Operations.

  2. Locate Imprivata Cloud Connect, and click Stop/restart options.

  3. Select Restart Imprivata Cloud Connect on all appliances, and click Go.

Copy your Enterprise Integration ID

Using the Imprivata Admin Console, copy your enterprise integration ID. You require this value to use the Imprivata Access Managemnt portal to create an integration token.

To copy your integration ID:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

    NOTE:

    A status message of Unable to verify integration. Unable to connect to Imprivata Access Management is expected.

  2. Copy the enterprise integration ID to your clipboard.

  3. Do not log out. You finish configuring the connection here after using the Imprivata Access Managemnt portal to create the integration token.

Create the Integration Token

Using the Imprivata Access Management portal, enter your enterprise integration ID to create an integration token. This token is required to finish configuring the connection in the Imprivata Admin Console.

To create the integration token:

  1. Log into the Imprivata Access Management portal.

  2. Click the gear icon. Navigate to Integrations.

  3. Under Enterprise Access Management integration, paste the integration ID into Enterprise integration ID.

  4. Click Create integration token and copy it.

  5. Return to the Imprivata Admin Console to finish configuring the connection.

Complete the Connection

Using the Imprivata Admin Console, finish configuring the connection to the Imprivata Cloud Platform using the integration token you created.

To finish the configuration:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

  2. Paste the integration token, and click Integrate.

  3. Select Administrator console single sign-on using SAML.

    This setting is required to enable SSO access to your administrator consoles in the Imprivata Access Management portal.

Configure an IdP to authenticate users to the Imprivata Access Management Portal

Configuring an IdP is required to authenticate administrators to the Imprivata Access Management portal. You need access to the Imprivata Access Management portal to synchronize your Entra ID users with the Imprivata Cloud Platform.

NOTE:

If you have already configured access to the Imprivata Access Management Console, you can skip this step.

You can configure:

  • Imprivata to function as an internal IdP.

    • Doing so creates a tenant-specific identity directory with a local administrator, which provides quick access to the Imprivata Access Management portal without the need for an external IdP.

    • After configuring Imprivata as the IdP, you can configure an external IdP at any time.

  • Any external third-party IdP. For example, Microsoft Entra ID.

    • Configuring an external IdP lets you use your organization’s existing identity infrastructure to authenticate administrators.

    • Configuring Entra ID as an IdP has the added benefit of letting your non-administrative users enroll their face as an authenticator using My Imprivata Identity from any device. Unlike other enrollment methods, My Imprivata Identity does not require access to an endpoint where the Imprivata agent is installed. For more information, see Enroll Facial Biometrics.

To configure Imprivata Directory:

  1. Open the Imprivata Access Management setup.

  2. Agree to the Cloud Features Agreement and enter information about your organization.

  3. Skip to the Imprivata Identity Provider Connect screen.

  4. Enter a domain for the Imprivata Directory.

    NOTE:

    The domain name must be unique and cannot be reused across multiple tenants.

  5. Enter a username and password for the initial administrator, and note the complete Imprivata username, which includes the Imprivata Directory domain

    You require the complete username to log in to the Imprivata Access Management portal.

  6. Skip to the You're ready to go screen, and click the link to log in to the Imprivata Access Management portal.

You can configure Entra ID as an IdP to authenticate users to the Imprivata Access Management portal. You require access to the following to complete the configuration:

  • The Imprivata Access Management setup.

  • The Microsoft Entra Admin center.

Save the Imprivata Service Provider Metadata

Use the Imprivata Access Management setup to create the Imprivata SP metadata file. You require this file when configuring the Entra ID enterprise application.

To create the metadata file:

  1. Open the Imprivata Access Management setup.

  2. Agree to the Cloud Features Agreement and enter information about your organization.

  3. Skip to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL, paste it into a new browser tab, and save the page as an XML file.

Do not close the setup. You finish configuring the connection here after you configure the enterprise application.

Configure the Entra ID App

An Entra ID enterprise application is required to allow SAML-based SSO to the Imprivata Access Management portal.

To configure the enterprise application:

  1. From the Azure portal, go to Microsoft Entra ID.

  2. Click Manage > Enterprise Applications > New application.

  3. Click Create your own application.

  4. Enter a name for the application, select Integrate any other application you don't find in the gallery, and then click Create.

  5. From the Overview page, click Assign users and groups, and then add the Imprivata admin user group.

  6. Go to the Overview page, click Set up single sign-on, and then select SAML.

  7. Click Upload metadata file, and upload the Imprivata SP metadata file you created previously.

  8. Under Basic SAML Configuration, click Edit, and enter the following Sign on URL: https://access.imprivata.com.

  9. Save the settings.

Copy and Save Entra App Values

Copy and save required federation and group attribute values from the enterprise application. You will use these values to complete the SAML configuration and specify the Imprivata admin group.

To locate the required values:

  1. Go to SAML certificates, and copy the App Federation Metadata URL.

  2. Under Attributes & Claims, click Edit, and copy the claim name for the user groups value.

    Example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

    NOTE:

    If the user group claim does not exist, create it. When creating it, select Groups assigned to the application and use Group ID as the source attribute.

  3. Return to the Microsoft Entra ID Overview page.

  4. Click Manage > Groups >All groups.

  5. Locate the admin group and copy its object ID.

Return to the Imprivata Access Management setup to finish the configuration.

Use the Entra App Values to Finish the Configuration

With the federation and group attribute values you had previously saved, use the Imprivata Access Management setup to finish the SAML configuration and specify the Imprivata admin group.

To finish the configuration:

  1. Open the Imprivata Access Management setup, and return to the Identity Provider Connect screen.

  2. Enter your organization's domain and a user-friendly display name.

  3. Enter the SAML IdP metadata URL from the enterprise application, and click Continue.

  4. Enter the user group claim name in to SAML attribute name.

  5. Enter the object ID of the admin group in to SAML attribute value, and click Continue.

    If you are specifying multiple admin groups, the object IDs must be comma-separated.

  6. Click access.imprivata.com to log in to the Imprivata Access Management portal.

NOTE:

Specifying a metadata URL allows for easier maintenance. The system automatically polls the URL at regular intervals.

This ensures that your IdP configuration stays up to date with the latest metadata, such as certificate changes.

If you upload a metadata file instead, the system does not update it automatically. From the Imprivata Access Management portal, you must edit the configuration to replace the file manually or switch to a URL.

The following are generic steps to configure any external third-party IdP to authenticate users to the Imprivata Access Management portal. For example, these steps apply to Ping Identity and Okta.

To configure your IdP:

  1. Open the Imprivata Cloud Tenant Setup wizard.

  2. If you have not already, agree to the Cloud Features Agreement and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL and provide it to your IdP. When configuring the IdP's application:

    • Specify https://access.imprivata.com for the single sign-on URL.

    • Recommended: configure email address as the NameID format for user identity.

    • Recommended: configure Group ID (rather than group name) as the source attribute for group claims.

  5. Enter the SAML IdP metadata URL, and click Continue.

  6. Enter the SAML name/value pair that identifies users with administrative access, and click Continue.

  7. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access Imprivata Access Management.

Configure Entra ID and sync your users with the Imprivata Cloud Platform

Additional Entra ID configuration is required to enable Face recognition.

After configuring Entra ID and syncing users with the Imprivata Cloud Platform, verify that the users exist in the Imprivata Access Management portal (access.imprivata.com). Complete the following steps.

To add the trusted Imprivata IP addresses:

  1. From the Azure portal, go to Microsoft Entra ID, and select > Manage > Security > Manage > Named locations.

  2. Click IP ranges location.

  3. Enter a name for the new location, and then select Mark as trusted location.

  4. Add the following IP addresses:

    • 44.207.16.175/32

    • 44.196.189.191/32

    • 34.195.47.118/32

  5. Click Add, and then Create.

If per-user multifactor authentication is enabled for users, adding the trusted Imprivata IP addressees to the list of MFA trusted IPs is required.

To add the IP addresses:

  1. From the Microsoft Azure Portal, go to Microsoft Entra ID > Manage > Users, and click Per-user MFA.

  2. Select the Service Settings tab.

  3. Add the following IP addresses to Skip multifactor authentication for requests from following range of IP address subnets:

    • 44.207.16.175/32

    • 44.196.189.191/32

    • 34.195.47.118/32

  4. Click Save.

By default, Microsoft Entra Connect Sync pass-through authentication or Password Hash Sync (PHS) is supported.

If your Entra ID environment is federated with a third-party IdP, however, PHS is required.

To verify if PHS is enabled:

  1. From the Microsoft Azure Portal, go to Microsoft Entra ID > Manage > Microsoft Entra Connect.

  2. Click Connect Sync.

  3. Under Microsoft Entra Connect sync, verify that Password Hash Sync is enabled.

  4. If it is not enabled, configure Password Hash Synchronization from the server where the Microsoft Entra Connect Sync Agent is installed.

Configure Imprivata Enterprise Access Management as a directory. Doing so, provides full user sync capabilities.

Syncing your users requires one of the following:

  • Entra ID Global Administrator rights

  • Privileged Role Administrator rights

To sync Entra ID users:

  1. Log into the Imprivata Access Management portal (access.imprivata.com).

  2. Click the gear icon > Users > Entra ID users.

  3. Click Add an Entra ID directory now.

  4. Enter your Entra ID Tenant ID, and click Continue to Microsoft Authentication.

  5. Using an Entra ID Global Administrator account, or another account with privileges to grant admin consent for application permissions, log in to Entra ID.

  6. When prompted, review the required permissions, and click Accept.

  7. Click Specify groups now. Enter one or more groups names, and click OK.

  8. Click Update now to sync users.

NOTE:

After a user has enrolled their face, you can return to this page to remove the enrollment, if necessary. Click the overflow menu next to their name, and then Remove.

If your Entra ID environment is federated with a third-party IdP, this step is required.

The Imprivata Cloud Platform must be able to validate user passwords when entered. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This only applies to authentication calls made by the Imprivata Access Management Sync.

To create and apply the Home Realm Discovery policy:

  1. Log in to Microsoft Graph Explorer.

    To make it more secure, log in as the Global Administrator.

  2. Consent to the Microsoft Graph explorer application in your tenant.

    For more information, see the Microsoft Graph API documentation.

  3. Create a home realm discovery policy by making the following HTTP request:

    POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies

    Request body

    In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:

    Copy 
    {
            "displayName": "yourPolicyName",
            "definition": [
            "{\"HomeRealmDiscoveryPolicy\": 
            {\"AllowCloudPasswordValidation\":true, } }"
            ],
            "isOrganizationDefault": false
    }

    Response

    If successful, this method returns a 201 Created response code and a new homeRealmDiscoveryPolicy object in the response body.

    Example Response
    Copy 
    {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
            "value": [
            {
                "id": "239cbead-1111-654a-9f50-1467d691aaa",
                "deletedDateTime": null,
                "definition": [
                "{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
                ],
                "displayName": "Exclude Federated Authentication ",
                "isOrganizationDefault": false
            }
        ]
    }

  4. Assign the home realm discovery policy to the Imprivata Access Management Sync application by making the following HTTP request:

    POST - https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Access Management Sync application object id>/homeRealmDiscoveryPolicies/$ref

    Request body

    In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.

    Copy 
    {
        "@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
    }
    Response

    If successful, this method returns a 204 No Content response code.

  5. Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:

    GET - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo

    Response
    Copy 
    {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
            "value": [
            {
            "@odata.type": "#microsoft.graph.servicePrincipal",
            "id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",

    ...

 

You must exclude the Imprivata Access Management Sync application from all conditional access policies that would require MFA for Imprivata users.

NOTE:

Microsoft-managed policies don't allow you to exclude specific cloud apps. If you have a Microsoft-managed policy that requires MFA, recreate it so you can exclude the Imprivata Access Management Sync app, and then turn off the Microsoft-managed policy.

To update a conditional access policy:

  1. From the Microsoft Azure Portal, go to Microsoft Entra ID, select Manage > SecurityProtect > Conditional Access > Policies.

  2. Click the policy that applies to your Imprivata users.

  3. Under Target resources, click All resources (formerly All Cloud apps).

  4. Click Exclude, and then toggle Select resources.

  5. Under Select specific resources, click None or any of the listed applications.

  6. Search for Imprivata Access Management Sync, select it, and click Select.

  7. Save the policy.

  8. Repeat for all conditional access policies that would require MFA for Imprivata users.

Biometric Consent

In alignment with applicable law, Imprivata's facial recognition service requires users to provide their state or country of residence prior to using their face as an authenticator. As applicable by the location of their residence, they agree to one or more of the following:

  • Imprivata-provided biometric data terms and conditions.

  • In addition to the Imprivata-provided terms and conditions, your organization can provide its own notice and legal consent content for biometric use.

IMPORTANT:

Always consult your legal counsel before adding your own notice and legal consent content for biometric use at your organization.

To provide your own notice and/or legal consent content:

  1. Log in to the Imprivata Access Management console (access.imprivata.com).

  2. Click the gear icon > Customize.

  3. Based on your organization's requirements, upload a biometric consent document and/or a biometric notice document.

  4. If you uploaded a biometric consent document, select one or more locations where the consent is legally required.

  5. Click Save.

Face Enrollment

  1. From the Imprivata agent system tray, go to User Options and click Enroll Authentication Methods.

  2. Authenticate with username and password and click Enroll your face to begin the enrollment.

Enroll from Any Device

Users can access My Imprivata Identity from access.imprivata.com on any device.

Access to My Imprivata Identity requires that you configure Imprivata Access Management to use Entra ID as an IdP.

  1. The user authenticates to Imprivata Access Management from access.imprivata.com.

  2. They click their profile icon in the upper-right corner to open the user menu, and click My Imprivata Identity.

  3. From My Imprivata Identity, they click Add an authenticator > Face authentication.

BEST PRACTICE:

Imprivata Enterprise Access Management can authenticate users who are wearing masks. However, for best results, users should enroll their facial biometric without a mask on.

NOTE:

A user can delete their enrollment from the Imprivata agent in the system tray. Under User Options, they can click Enroll Authentication Methods > Face enrolled > Remove. An Imprivata Enterprise Access Management administrator can also remove the enrollment from the Users page (Users > Users) in the Imprivata Admin Console.