Integration Guide for Windows Desktop Login (Azure AD Only Join)

  • Updated on Feb 9, 2026
  • Published on Nov 4, 2025
  • 1 minute(s) read
  • e
  • EA
 Prev Next

This guide provides information on how to set up passwordless Windows Desktop Login (WDL) for Hybrid Azure Active Directory domain joined devices. It covers setting up the Azure Active Directory to use Key Trust based authentication for Beyond Identity Credentials Provider as well as installation and configuration of the Beyond Identity Desktop Login Authenticator app.

Prerequisites

Beyond Identity Web SSO:

  • The Beyond Identity Web SSO must be already configured and working.

  • You must have super admin privileges to the Beyond Identity Admin Console.



Client Side:

  • You need to have physical access or a console session to the machine to enroll and use WDL. Enrollment or using WDL over an RDP session is not supported.

  • Device must have joined the Azure AD domain.

  • Device must be running Windows 10 (Build 1703 or later) or Windows 11 (Must be a Pro or Enterprise License).

  • Device must have Trusted Platform Module (TPM) 2.0 installed.

  • Device may have a built-in or pluggable fingerprint reader (Optional).

  • Device must have Beyond Identity Authenticator app installed and enrolled in the Beyond Identity Web SSO. We will replace the app with the Beyond Identity Desktop Login Authenticator App.






Client-side Config

Install Beyond Identity Desktop Login

  1. On a Azure AD Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.

  2. Using a browser go to https://app.byndid.com/desktop-login/downloads and download MSI labeled “Desktop Login for Windows”.

  3. Ensure “Beyond Identity Service” service is running on the client before moving to the next step.

User Enrollment Process

  1. Run the below command in windows command prompt or powershell and make sure the following parameters match.

    1. dsregcmd /status

    2. Returns:

      Device State

      1. AzureAdJoined: YES

      2. DomainJoined: NO

      Device Details

      1. TpmProtected: YES

      2. DeviceAuthStatus: SUCCESS

      SSO State

      1. AzureAdPrt: YES

  2. Open the Beyond Identity Authenticator app.

  3. Select the Profile already enrolled in Web SSO and click on “Enroll in desktop login”.

  4. Enter your username/password on the Azure AD login screen.

  1. Create a PIN that will be used for passwordless login. Minimum length is 8 characters. Hit ENTER once you have entered the PIN.

  1. Confirm the PIN added in the previous step.

  2. Optionally, enroll fingerprints for biometric login and then click “Finish Setup”.

  1. Wait until a confirmation dialog displays. You are now enrolled in Windows Desktop Login.

User Login Process

  1. Log out or lock local screen.

  2. Choose the Beyond Identity login option.

  1. When prompted, use a fingerprint or enter a PIN to complete login.

Related articles