Facial Biometric Authentication

Imprivata Enterprise Access Management supports Facial Biometric authentication for Desktop Access on Type 1 Imprivata agent endpoints.

Requirements

• The Imprivata Cloud Connect service to your tenant on the Imprivata Cloud Platform must be up and running.

• Users in a policy enabled for facial biometric must be synced from Active Directory (AD) to Entra ID.

• The endpoint computers can be either AD-only or hybrid joined AD/Entra ID.

• Entra ID only users and devices are not supported at this time.

• The cloud must be synced from AD to Entra ID with Entra Connect.

• Users must already have their username and password enrolled with Imprivata Enterprise Access Management SSO, and they must have used their username and password against the Imprivata appliance at least once. This includes logging into their desktop, or logging into the Enterprise Access Management enrollment utility.

• Internet access is required for facial biometric authentication. If the endpoint cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. The connection between the endpoint and your Imprivata appliance is not required.

• A 1080p camera must be installed and enabled at the endpoint computer. Modern cameras capable of handling Zoom video conferencing are sufficient.

Before You Begin

Facial Biometric authentication requires :

1. Upgrade your enterprise to Imprivata Enterprise Access Management 25.1.

2. Install a custom Enterprise Access Management IPM to enable this feature.

3. Install a custom agent only to Type 1 Imprivata agents, then sync the agents with the Imprivata appliance.

You can find these downloads at the Imprivata Customer Experience Center.

Your enterprise also requires a Authentication Management license and a Confirm ID for Remote Access license.

Add Imprivata Cloud IP addresses to Entra ID

1. Go to Microsoft Entra ID > Manage > Security, and select Manage > Named locations.

2. Select IP ranges location.

3. Enter a name for the new location ("Imprivata Cloud", for example) and select Mark as trusted location.

4. Add the following IP addresses:

   • 44.207.16.175/32

   • 44.196.189.191/32

   • 34.195.47.118/32

5. Click Save.

Optional — Add Imprivata to Trusted Per-user MFA

If you use "per-user" multifactor authentication, then add the Imprivata Cloud Platform to the "per-user" MFA trusted IPs:

1. Go to Entra ID Overview > Manage > Users, and select Per-user multifactor authentication

2. Select the Service settings tab.

3. Add the same IP addresses from the Trusted Locations field, above:

   • 44.207.16.175/32

   • 44.196.189.191/32

   • 34.195.47.118/32

4. Click Save.

Create an Admin Group

The Imprivata Control Center will ask you to for a group to assign administrator access. Create a group with users that should have access to the Imprivata Cloud Platform.

Enable Password Hash Sync

1. Go to Entra ID Overview > Manage > Microsoft Entra Connect.

2. Select Connect Sync. Verify that Password Hash Sync is enabled.

   Otherwise, please configure Password Hash Synchronization in the Microsoft Entra Connect Sync Agent.

Cloud Tenant Setup

Contact Imprivata Services. Services will create a Cloud Tenant for your enterprise, and send a Welcome email with a link to the Cloud Tenant Setup wizard. Click the link in the email and follow the wizard to complete the secure connection:

1. Click Get Started, then Continue. At the Connect Entra ID step, copy the Tenant ID from your Entra ID portal.

2. Enter the Tenant ID in the wizard, and click Continue to Entra ID Authentication.

3. You will be redirected to a Microsoft login. Log in as someone with Global Administrator or Privileged Role Administrator privileges.

4. You will be prompted to authorize Imprivata’s verified application with the following permissions:

   • Read all groups

   • Read all users’ full profiles

   • Read all group memberships

   • Sign in and read user profile

5. Click Accept to grant Imprivata Cloud access to the Entra ID tenant.

Optional — Include Home Realm Discovery Policy

This step is needed if you are using federated authentication. The Imprivata Cloud Platform must be able to validate user passwords when typed in. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This will only apply to authentication calls made by the Imprivata Astra Azure AD Sync application.

To create and apply the Home Realm Discovery policy:

1. Log in to Microsoft Graph Explorer. To make it more secure, log in as the Global Administrator.

2. Consent to the Microsoft Graph explorer application in your tenant.

   For more information, see the Microsoft Graph API documentation.

3. Create a home realm discovery policy by making the following HTTP request:

   POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies

   Request body

   In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:

   Copy

       {
           "displayName": "yourPolicyName",
           "definition": [
           "{\"HomeRealmDiscoveryPolicy\": 
           {\"AllowCloudPasswordValidation\":true, } }"
           ],
           "isOrganizationDefault": false
       }

   Response

   If successful, this method returns a 201 Created response code and a new homeRealmDiscoveryPolicy object in the response body.

   Example Response

   Copy

   {
   "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
   "value": [
       {
           "id": "239cbead-1111-654a-9f50-1467d691aaa",
           "deletedDateTime": null,
           "definition": [
               "{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
               ],
           "displayName": "Exclude Federated Authentication ",
           "isOrganizationDefault": false
           }
       ]
   }

4. Assign the home realm discovery policy to the Imprivata Astra Azure AD Sync application by making the following HTTP request:

   POST - https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Astra Azure AD Sync application object id>/homeRealmDiscoveryPolicies/$ref

   Request body

   In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.

   Copy

   {
       "@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
   }

   Response

   If successful, this method returns a 204 No Content response code.

5. Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:

   GET - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo

   Response

   Copy

   {
       "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
       "value": [
           {
               "@odata.type": "#microsoft.graph.servicePrincipal",
               "id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",
   
               ...

Entra ID Conditional Access Policies

You must exclude the Enterprise Access Management app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

1. In Entra ID, go to Security > Conditional Access, and select a policy that applies to your Imprivata app and requires MFA.

2. To exclude your Imprivata app, go to Cloud apps or actions > Cloud apps > Exclude > Select excluded cloud apps, and select the Imprivata app.

3. Click Save.

4. Repeat for all conditional access policies that apply to your Imprivata app and require MFA.

Create Initial Cloud Administrator

In the Imprivata Setup Wizard, create the first Imprivata Cloud Platform administrator:

1. Enter the username (the Entra ID UPN) for an admin for the Imprivata Cloud Platform. This user must be a member of the admin group you created above (see Create an Admin Group). This user does not need to be an Entra ID admin. They can be any Entra ID user.

2. Click Next to continue.

   For future use, this admin will receive an email with a URL allowing them to log in to the Imprivata Cloud Platform.

Select Groups to Sync

1. Log into the Imprivata Cloud Platform as the user who was identified in the previous step.

2. You will be prompted to select an Entra ID admin group.

   To select the group you created above (see Create an Admin Group), start typing the name. You can select more than one group that should have access to the admin console.

3. In the top left column, select Add groups to add any user groups. Click OK.

   Microsoft Entra ID setup is now complete.

4. Go to the Users tab to view your users. User sync will run in the background and display users on the Users page.

Secure Connection to Imprivata Cloud Platform

Configure the secure connection between your Imprivata Enterprise Access Management appliance and the Imprivata Cloud Platform. To confirm whether this connection is complete, on the Imprivata Admin Console, see the Status panel on the right-hand side. Look for a green checkmark icon for Access Management integration. Before you begin, Access Management integration is "greyed out".

1. In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.

2. On the Imprivata Access Management page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.

   On this page, copy the Enterprise integration ID to your clipboard.

3. Leave this console open, and in a separate browser window, log into the Imprivata Cloud Platform.

4. On the Settings > System page, go to Enterprise Access Management integration, paste the Enterprise integration ID, and click Create integration token.

5. After the token appears onscreen, click Copy integration token.

6. Return to the Imprivata Admin Console > Imprivata Access Management page, and paste the integration token in the field provided, and click Integrate.

   When successful, the status message will read Integrated with Imprivata Access Management tenant, and your tenant ID is displayed. The Imprivata cloud services status panel on the Imprivata Admin Console also shows the new integration.

   NOTE:

   This integration applies to every appliance in the enterprise.

Stopping and Restarting This Connection

You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).

1. In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.

2. Imprivata Cloud Connect status is either Running or Disabled (stopped).

3. Select Stop/restart options.

4. Select from:

   • Stop Imprivata Cloud Connect on this appliance

   • Restart Imprivata Cloud Connect on this appliance

   • Stop Imprivata Cloud Connect on all appliances

   • Restart Imprivata Cloud Connect on all appliances

     NOTE:

     In this context, "Restart" means "start this stopped connection" and also "restart this connection that is already running".

5. Click Go.

User Policy Setup

1. In the Enterprise Access Management Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication section.

2. Select Facial biometric as a primary factor.

3. Select a second factor for Facial Biometric:

   • no second factor

   • Security Key

   • Imprivata PIN

   • Password

   • Proximity Card

   • Device-bound passkey (not supported in this release)

   • Imprivata PIN or Device-bound passkey

   • Security Key or Imprivata PIN or Proximity Card

     NOTE:

     Facial biometric can also be selected as a second factor for Security Key, Password, and Proximity Card.

4. Select another primary factor if needed. For example, if users in this policy must authenticate at endpoints where Facial Biometric authentication is not available.

5. Click Save.

Expected User Workflow

The first time a user begins the Desktop Authentication workflow:

Enroll Facial Biometrics

1. At the Imprivata Enterprise Access Management login screen, the user selects Use facial bio.

   The Set up facial biometrics window opens.

2. The user enters their username and password, then clicks Enroll facial biometrics.

3. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

4. When the user's facial biometric is successfully captured, the user is logged into the desktop.

Desktop Authentication with Facial Biometric as a Primary Factor

1. At the Imprivata Enterprise Access Management login screen, the user selects Use facial bio.

2. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

3. When the user's facial biometric is successfully captured, the user is logged into the desktop.

   If their User Policy is configured with a second factor required for Desktop Authentication, the user completes that factor before the user is logged in.

If the Imprivata Agent cannot identify and authenticate the person logging in, the user's options are Retry, Different User, or Cancel. If they select Different User, they will need to provide their username to continue.

Desktop Authentication with Facial Biometric as a Secondary Factor

1. At the Imprivata Enterprise Access Management login screen, the user selects the available primary factor (Security Key, Password, or Proximity Card).

2. The user successfully authenticates with their primary factor.

3. The user then clicks on the Facial Bio hexagon tile onscreen. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

4. When the user's facial biometric is successfully captured, the user is logged into the desktop.