Skip to main content
Skip table of contents

Single Sign-On with Entra ID

Single Sign-On (SSO) with Microsoft Entra ID (formerly Azure AD) allows Desktop Client users to authenticate automatically with their domain-joined computer. This method provides a silent, seamless login experience by relying on the operating system’s identity, without requiring any user action. Compared to Integrated Windows Authentication (IWA), Entra ID SSO leverages modern cloud-based identity management, making it especially suitable for hybrid or cloud-first environments.

Prerequisites:

  • MyQ Print Server 10.2 patch 6+

  • Client devices running Windows

  • Devices must be Entra ID-joined, AD-joined, or Hybrid-joined

  • A Microsoft Entra tenant with permissions to register Enterprise Applications

  • To use silent SSO with Entra ID in the Desktop Client, you must enable “Sign in with Microsoft” for the authentication server in on MyQ Print Server, Settings – Authentication Servers.

Configuration Overview

To enable SSO with Entra ID, create a Microsoft Entra ID connection in MyQ.
This connection links to an Enterprise Application (service principal) in your tenant, which grants MyQ permission to access user identities through Microsoft Graph.

You can either:

  • Allow MyQ to create the Enterprise Application automatically when you create the connection, or

  • Create the application manually in your tenant before linking it.

For detailed setup steps, see Set Up Entra ID with Microsoft Graph API.

User Login Experience

During startup, the Desktop Client attempts a silent login using the credentials of the operating system account:

  1. The client requests a token from Entra ID.

  2. If the device is properly joined to the domain, authentication takes place in the background.

  3. The user is logged in without having to enter their credentials.

This process uses token-based authentication and relies entirely on the operating system’s identity infrastructure.

Fallback Behavior

If Entra ID authentication fails, the Desktop Client authentication method automatically falls back to:

  1. IWA, if enabled

  2. Manual sign-in with MyQ

You can also enable silent login with IWA. If both SSO with Entra ID and IWA are enabled, Entra ID is used first, with fallback to IWA.

Best Practices

  • Use Entra ID SSO in modern or hybrid environments for seamless, cloud-based authentication.

  • Enable IWA as a fallback where legacy on-premises support is needed.

  • Ensure devices are correctly joined to Entra ID, AD, or Hybrid, otherwise silent login will not succeed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close