Face Recognition Authentication

Imprivata Enterprise Access Management supports face recognition authentication for Desktop Access on Type 1 Imprivata agent endpoints.

Requirements

  • Users in a policy enabled for facial biometric must be synced from Active Directory (AD) to Entra ID.

  • The endpoint computers can be either AD-only or hybrid joined AD/Entra ID.

  • The cloud must be synced from AD to Entra ID with Entra Connect.

  • Entra ID P1 or later is required to edit conditional access policies.

  • Users must already have their username and password enrolled with Imprivata Enterprise Access Management SSO, and they must have used their username and password against the Imprivata appliance at least once. This includes logging into their desktop, or logging into the Enterprise Access Management enrollment utility.

  • Internet access is required for face recognition authentication. If the endpoint cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. The connection between the endpoint and your Imprivata appliance is not required.

  • A 1080p camera must be installed and enabled at the endpoint computer. Modern cameras capable of handling Zoom video conferencing are sufficient.

Before You Begin

Face recognition authentication requires :

  1. Upgrade your enterprise to Imprivata Enterprise Access Management 25.1.

  2. Install a custom Enterprise Access Management IPM to enable this feature.

  3. Install a custom agent only to Type 1 Imprivata agents, then sync the agents with the Imprivata appliance.

You can find these downloads at the Imprivata Customer Experience Center.

Your enterprise also requires a Authentication Management license and a Confirm ID for Remote Access license.

  • Complete the connection between your Imprivata enterprise and your tenant on the Imprivata Control Center. See Single Sign On for the Admin Console.

    • Add Imprivata Cloud IP addresses to Entra ID

    1. Go to Microsoft Entra IDManage > Security, and select Manage > Named locations.

    2. Select IP ranges location.

    3. Enter a name for the new location ("Imprivata Cloud", for example) and select Mark as trusted location.

    4. Add the following IP addresses:

      • 44.207.16.175/32

      • 44.196.189.191/32

      • 34.195.47.118/32

    5. Click Save.

    Optional — Add Imprivata to Trusted Per-user MFA

    If you use "per-user" multifactor authentication, then add the Imprivata Cloud Platform to the "per-user" MFA trusted IPs:

    1. Go to Entra ID Overview > Manage > Users, and select Per-user multifactor authentication

    2. Select the Service settings tab.

    3. Add the same IP addresses from the Trusted Locations field, above:

      • 44.207.16.175/32

      • 44.196.189.191/32

      • 34.195.47.118/32

    4. Click Save.

    Enable Password Hash Sync

    1. Go to Entra ID Overview > Manage > Microsoft Entra Connect.

    2. Select Connect Sync. Verify that Password Hash Sync is enabled.

      Otherwise, please configure Password Hash Synchronization in the Microsoft Entra Connect Sync Agent.

    Sync Entra ID Users

    You can configure Imprivata Enterprise Access Management to treat Entra ID as a directory, providing full user sync capabilities. This will require Entra ID Global Administrator or Privileged Role Administrator rights.

    1. Log into the Imprivata control center at access.imprivata.com.

    2. In the Imprivata Control Center, click the gear icon.

    3. On the Entra ID Users tab, click Add an Entra ID directory now.

    4. The Add Entra ID as a directory window opens.

      Paste your Entra ID Tenant ID, and click Continue to Microsoft Authentication.

    5. Click Accept on Microsoft's permissions window.

    6. Click Specify groups now. Enter groups names to find and add them.

    7. Click Update now to sync users.

    Remove Face Enrollment

    After a user has enrolled their face, you can return to this page to remove the enrollment, if necessary. Click the overflow menu next to their name, and then Remove.

    Optional — Include Home Realm Discovery Policy

    This step is needed if you are using federated authentication. The Imprivata Cloud Platform must be able to validate user passwords when typed in. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This will only apply to authentication calls made by the Imprivata Astra Azure AD Sync application.

    To create and apply the Home Realm Discovery policy:

    1. Log in to Microsoft Graph Explorer. To make it more secure, log in as the Global Administrator.

    2. Consent to the Microsoft Graph explorer application in your tenant.

      For more information, see the Microsoft Graph API documentation.

    3. Create a home realm discovery policy by making the following HTTP request:

      POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies

      Request body

      In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:

      Copy 
          {
              "displayName": "yourPolicyName",
              "definition": [
              "{\"HomeRealmDiscoveryPolicy\": 
              {\"AllowCloudPasswordValidation\":true, } }"
              ],
              "isOrganizationDefault": false
          }

      Response

      If successful, this method returns a 201 Created response code and a new homeRealmDiscoveryPolicy object in the response body.

      Example Response

      Copy 
      {
      "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
      "value": [
          {
              "id": "239cbead-1111-654a-9f50-1467d691aaa",
              "deletedDateTime": null,
              "definition": [
                  "{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
                  ],
              "displayName": "Exclude Federated Authentication ",
              "isOrganizationDefault": false
              }
          ]
      }

    4. Assign the home realm discovery policy to the Imprivata Astra Azure AD Sync application by making the following HTTP request:

      POST - https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Astra Azure AD Sync application object id>/homeRealmDiscoveryPolicies/$ref

      Request body

      In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.

      Copy 
      {
          "@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
      }

      Response

      If successful, this method returns a 204 No Content response code.

    5. Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:

      GET - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo

      Response

      Copy 
      {
          "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
          "value": [
              {
                  "@odata.type": "#microsoft.graph.servicePrincipal",
                  "id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",

                  ...

    Entra ID Conditional Access Policies

    You must exclude the Enterprise Access Management app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

    1. In Entra ID, go to SecurityConditional Access, and select a policy that applies to your Imprivata app and requires MFA.

    2. To exclude your Imprivata app, go to Cloud apps or actionsCloud appsExcludeSelect excluded cloud apps, and select the Imprivata app.

    3. Click Save.

    4. Repeat for all conditional access policies that apply to your Imprivata app and require MFA.

    Stopping and Restarting This Connection

    You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).

    1. In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.

    2. Imprivata Cloud Connect status is either Running or Disabled (stopped).

    3. Select Stop/restart options.

    4. Select from:

      • Stop Imprivata Cloud Connect on this appliance

      • Restart Imprivata Cloud Connect on this appliance

      • Stop Imprivata Cloud Connect on all appliances

      • Restart Imprivata Cloud Connect on all appliances

        NOTE:

        In this context, "Restart" means "start this stopped connection" and also "restart this connection that is already running".

    5. Click Go.

    User Policy Setup

    1. In the Enterprise Access Management Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication section.

    2. Select Face recognition as a primary factor.

    3. Select a second factor for Face recognition:

      • no second factor

      • Security Key

      • Imprivata PIN

      • Password

      • Proximity Card

      • Device-bound passkey (not supported in this release)

      • Imprivata PIN or Device-bound passkey (not supported in this release)

      • Security Key or Imprivata PIN or Proximity Card

        NOTE:

        Face recognition can also be selected as a second factor for Security Key, Password, and Proximity Card.

    4. Select another primary factor if needed. For example, if users in this policy must authenticate at endpoints where Face recognition authentication is not available.

    5. Click Save.

    Expected User Workflow

    The first time a user begins the Desktop Authentication workflow:

    Enroll Facial Biometrics

    1. At the Imprivata Enterprise Access Management login screen, the user selects Use facial bio.

      The Set up Face recognition window opens.

    2. The user enters their username and password, then clicks Enroll Face recognition.

    3. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

    4. When the user's face biometric is successfully captured, the user is logged into the desktop.

    NOTE:

    A user's Face recognition enrollment can be deleted by an Imprivata Enterprise Access Management administrator.

    Desktop Authentication with Face Recognition as a Primary Factor

    1. At the Imprivata Enterprise Access Management login screen, the user selects Use facial bio.

    2. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

    3. When the user's face biometric is successfully captured, the user is logged into the desktop.

      If their User Policy is configured with a second factor required for Desktop Authentication, the user completes that factor before the user is logged in.

    Desktop Authentication with Face Recognition as a Secondary Factor

    1. At the Imprivata Enterprise Access Management login screen, the user selects the available primary factor (Security Key, Password, or Proximity Card).

    2. The user successfully authenticates with their primary factor.

    3. The user then clicks on the Facial Bio hexagon tile onscreen. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

    4. When the user's facial biometric is successfully captured, the user is logged into the desktop.