Quick-start - Passwordless MFA for domain-joined Windows workstations
In this guide we will set up idemeum Passwordless MFA for domain-joined Windows workstations. Your customers will be able to access workstation without passwords leveraging mobile biometrics.

Prerequisites
idemeum leverages virtual smart card for user login into domain-joined workstations. Here are the pre-requisites for idemeum Passwordless MFA for domain-joined set up:
- idemeum supports Windows 10, 11, IoT for domain-joined Passwordless MFA
- Windows workstation has to have a Trusted Platform Module (TPM) enabled. Refer to this link to learn more about how to verify whether TPM is present in the system.
- Active Directory Certificate Services (ADCS) need to be set up and configured with idemeum certificate template. The detailed guide is here.
1. Sign up for idemeum MSP tenant
If you have not created your idemeum cloud tenant yet, please follow the steps below to create a trial tenant for your organization.

2. Enable Cloud Directory for your MSP tenant
To manage identities of your MSP technicians we will leverage idemeum local directory. To enable local directory:
- Navigate to
https://<your-msp-domain>.idemeum.com/adminportal
- Access
Users
→User source
and chooseLocal
Save
the configuration

3. Create accounts for your technicians
Now you can add your technicians to your tenant local directory. Once onboarded they will be able to login to your MSP tenant and also customer tenants with a mobile device.
- Navigate to your MSP tenant admin portal at
https://<your-msp-domain>.idemeum.com/adminportal
- Access
Users
→User management
and clickAdd user
- Enter the email address that the user will verify in the mobile application to be onboarded into your tenant, and save the user record

4. Create a customer tenant that you will manage
idemeum offers Multi-Tenant MSP Portal to manage all your customer tenants from a single dashboard. To create a tenant for your customer:
- Navigate to your MSP tenant admin portal at
https://your-domain.idemeum.com/adminportal
- Access
Customers
on the left and clickCreate customer
- Enter
Name
(will be used to create a subdomain for your MSP tenant, for examplecusrtomer-<your MSP domain>.idemeum.com
) andDisplay name
(will be used as a display name / title for your customer tenant)

5. Delegate technician access to customer tenant
You have two options:
- You can make every technician an
Admin
in your MSP tenant and as a result, technicians will have access to all created customers tenants by default. - You do not assign an
Admin
role to a technician, but delegate access to each customer tenant directly.
To assign an Admin
role to a technician, please follow these steps.
- Navigate to your MSP tenant admin portal at
https://<your-msp-domain>.idemeum.com/adminportal
- Access
Users
- Find the user record, click on
...
and then chooseMake admin

To delegate access to each customer tenant directly, please follow these steps.
6. Configure customer tenant
Now we will configure customer tenant for authentication leveraging Passwordless MFA.
- Access your customer tenant with a mobile device. You can directly naviagate to a customer tenant URL at
customer-<your msp domain>.idemeum.com
or navigate to your MSP postal,Customers
section and click on the link from there. You will need to login with your mobile device.
Enable cloud directory for customer tenant
- Navigate to your customer tenant admin dashboard and enabel cloud directory
- Access
Users
→User source
and chooseLocal
Save
the configuration

Enable master key for the customer tenant
Master key is the secret key for each customer tenant that encrypts all sensitive information, such as passwords. Therefore idemeum team can not see any of your or your customer information in our cloud.
- Navigate to
Settings
and thenDesktop login
- Enable
Master key
with a toggle

Enable user authentication with Passwordless MFA
- Navigate to
Settings
and thenDesktop login
- Click
Enable desktop login for users
- Then choose
Passwordless MFA
from the drop down list - Click
Save

Create your customer users
Now you create users for your customers so that they can onboard with a mobile device. For example, here I create a new user record for Billy:
- Provide
First name
andLast name
- Enter
company email address / UPN
- Optionally enter the
personal email address

Set up desktop client branding
You can configure the look and feel for the desktop client by configuring background, logo, and text for your users. You can follow the guide below.

Enable ADCS configuration for customer
Active Directory Certificate Services (AD CS) is leveraged to perform certificate-based login, i.e., smart card login post completing MFA via idemeum mobile application.
Before installing idemeum desktop client on domain-joined machines, please ensure you perform a one-time configuration to set up Active Directory Certificate Services.
7. Install idemeum desktop application
Now you can install idemeum desktop application to a customer workstation. There are various installation methods. For instance, you can install idemeum desktop client manually.
8. Test user login
Users can now login to their workstations with idemeum Passwordless MFA.

9. Passwordless elevated access for technicians
There is a separate quick-start guide for Passwordless Elevated Access. Your technicians can access any customer workstation with a mobile device. No credentials needed.
All you need to do is to assign an account to each workstation in the cloud portal.
- Navigate to your customer tenant at
customer-<msp domain>.idemeum.com
- Click on
Accounts
at the top, then choose...
and chooseConfigure shared account
- Now assign a local admin account that will be used for technicians to access customer workstation or elevate in the remote session. If the account does not exist, idemeum desktop client will automatically create it.
- Now for any customer workstation your technicians can click
Elevated access
and login to a workstation by scanning a QR-code with a mobile device.


Questions?
If you have any questions, join our Discord chat and we can help you.