>
    Strata Copilot
    Configure Windows Hello for Business Authentication for Dynamic Privilege Access Prisma Access Agents
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Configure Dynamic Privilege Access Settings
    5. Configure Windows Hello for Business Authentication for Dynamic Privilege Access Prisma Access Agents
    Download PDF
    Prisma Access

    Configure Windows Hello for Business Authentication for Dynamic Privilege Access Prisma Access Agents

    Table of Contents

    Configure Windows Hello for Business Authentication for Dynamic Privilege Access Prisma Access Agents

    Configure your environment to use Windows Hello for Business authentication with the Dynamic Privilege Access-enabled Prisma Access Agent.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access license with the Mobile User subscription
    • Minimum Prisma Access Agent version: 26.1
    • Windows Hello for Business enabled
    • Microsoft Entra ID-joined Windows 10 version 2024 and later devices
    To enable Windows Hello for Business authentication with Prisma Access Agent, you need to properly configure both your Microsoft Entra ID environment and Cloud Identity Engine. This procedure guides you through the necessary steps to set up this integration.
    Once configured, Prisma Access Agent will automatically detect the availability of Primary Refresh Tokens on your users' devices and leverage Windows Hello for Business authentication methods. Users will be able to authenticate using their configured personal identification number (PIN) or biometric methods without additional web-based authentication steps.
    Single sign-on with Windows Hello for Business supports either the Prisma Access Agent embedded browser or the default system browser for SAML authentication. You can configure the agent settings to suppress the embedded browser so that it won't appear.
    1. Configure Microsft Entra ID and Windows Hello for Business.
      1. Connect your Windows systems to Microsoft Entra ID.
        This enables Entra to manage authentication policy rules for your devices. Consult Microsoft's documentation for detailed procedures on joining devices to Microsoft Entra.
      2. Configure Windows Hello for Business policy rules in Microsoft Entra ID.
        Set up policy rules that enforce PIN requirements, biometric authentication methods (facial recognition, fingerprint), and other security settings according to your organization's requirements.
      3. Preconfigure end-user devices with Windows Hello for Business.
        Ensure your users have registered their biometric data or created PINs according to your organization's policy rules. This step is crucial for enabling Primary Refresh Token generation on user devices.
    2. Configure Cloud Identity Engine.
      1. Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access using Azure as the identity provider (IdP).
    3. Check the user authentication configuration for Prisma Access Agent.
      1. Craete a snippet to group the configurations of Prisma Access Agents that you can quickly push to your deployments.
      2. Configure Prisma Access Agent App Settings for Dynamic Privilege Access.
        Create an agent setting with the following app configuration settings:
        • Set the Connect method to Always On.
        • (Optional) To prevent the Prisma Acesss Agent embedded browser from appearing momentarily during single sign-on, select Show Advanced OptionsAuthentication and enable Use Single Sign-on (Windows).
      3. Create a project for users to access using the Prisma Access Agent using the agent settings that you created.
    4. Save and push the configuration.
      Your Entra ID-joined users can now log in to their Windows devices with their configured PIN or biometric method and see that Prisma Access Agent is in the connected state.

    © 2026 Palo Alto Networks, Inc. All rights reserved.