Intro: The Problem with Passwords and Federated Entra ID
In today’s hybrid enterprise environments, especially those using Entra ID (Azure AD) with federation via WS‑FED or ADFS, passwords continue to be a significant vulnerability. Cloud-only accounts introduce even more friction, particularly during Windows Autopilot enrollments, where users are still required to enter passwords, even though IT aims to eliminate them entirely.
Microsoft doesn’t natively support full passwordless authentication for cloud-only accounts in federated domains. Windows Hello for Business (WHfB) functions well for pure cloud domains, but once federation is introduced, users are forced back to passwords. To make matters worse, WHfB on Windows devices is only single-factor when using a PIN or camera, not true MFA to the desktop. Since WHfB PINs don’t roam between devices, users on shared or public devices (like bank branches) must enroll the PIN on each machine separately, and eventually remember their password when it needs changing. Microsoft is actively moving toward broader passkey support in the Authenticator app and FIDO2 security keys, but these features are still rolling out and come with configuration complexity.
Additionally, Entra ID still doesn’t allow admins to create new cloud-only user accounts in federated tenants via the Microsoft 365 admin center. These limitations leave organizations caught between modern identity ambitions and legacy infrastructure constraints.
Secret Double Octopus bridges this gap. Their Octopus Authentication Platform delivers true passwordless MFA for Entra ID, even in federated environments via WS‑FED. Instead of passwords, SDO issues ephemeral, machine-generated tokens that fully replace the password during desktop login. The result is a seamless, secure sign-in experience with genuine MFA, without relying on a password.
SDO supports both online and offline passwordless authentication using FIDO2 security keys or mobile push, even when devices are offline or air-gapped. Users can authenticate securely regardless of network availability. Moreover, SDO supports advanced customer needs such as multi-directory environments, for example, hybrid setups with cloud-only and on-prem devices—offering a unified authentication flow and single point of management for both users and admins. Importantly, SDO’s authentication methods are phishing-resistant by design. By using cryptographically bound credentials such as FIDO2 keys and secure mobile push approvals, SDO ensures that authentication cannot be spoofed or intercepted. This approach eliminates the risks associated with credential phishing, which traditional passwords and even basic MFA cannot fully address.
🧭 Why Federate Entra ID Domains Even in a Cloud-Only Environment
At first glance, it may seem unnecessary to federate your Entra ID domain when all users and devices are cloud-native. Microsoft’s native identity solutions work well in this setup—but they aren’t always enough.
There are several real-world reasons why federation remains critical, even in cloud-first environments:
🏢 Mergers & Acquisitions (M&A)
If your organization acquires a business that uses on-prem Active Directory, or another identity provider (IdP), federation offers a way to centralize authentication without a complete directory migration. SDO enables secure, passwordless access to Microsoft 365 and Entra ID while still allowing the acquired entity to use its existing credentials and devices.
🔐 Investment in a Third-Party IdP or Authenticator
Many organizations have invested heavily in platforms like Okta or Ping Identity. These tools may serve other applications across the enterprise but lack seamless passwordless support for Microsoft endpoints. With SDO as the federated identity provider for Entra ID, you can bridge this gap—preserving your existing IdP for broader SSO while enabling passwordless login for Microsoft environments.
Note: While it’s possible to integrate SDO alongside other IdPs, Microsoft 365 must be federated directly to SDO for passwordless login to function at the Windows level. This hybrid approach can still be effective when managed carefully.
🌐 Multi-Tenant and Multi-Business Unit Environments
Large organizations often operate with multiple business units, each using different identity architectures. Federation via SDO provides a consistent and centralized passwordless strategy—regardless of whether the underlying directory is Entra ID–only, hybrid, or fully on-premises. This reduces helpdesk overhead, improves security, and streamlines compliance.
Federation + Passwordless: How SDO Extends Entra ID
Federated Entra ID domains introduce an unavoidable constraint, Microsoft delegates the sign-in process to the external identity provider, but does not provide a native passwordless path when doing so. This means that once a domain is federated via WS-FED or ADFS, all authentications must be handled by the third-party identity provider. Microsoft’s own passwordless options, such as FIDO2 or Authenticator app-based sign-in, are no longer available at the Windows login screen for users in federated domains.
This gap has traditionally left organizations with two unappealing options: maintain passwords and federation with limited user experience, or abandon federation entirely to adopt cloud-native passwordless solutions, often at the cost of backend directory control or compliance complexity.
Secret Double Octopus changes that equation. By acting as the WS-FED identity provider, SDO takes over the authentication process during Windows login, browser-based sign-in, and Autopilot provisioning. Users in federated domains can now access their Entra ID–joined devices without ever entering a password using mobile push notifications, biometric approvals, or FIDO2 keys instead.
Behind the scenes, SDO generates and injects short-lived, cryptographically secure tokens that seamlessly fulfill the expected password fields during login. From the user’s perspective, it’s a modern passwordless experience. From the device and Entra ID’s perspective, the federation handshake completes exactly as expected, only without requiring a password from the user.
Because SDO operates at the federation level, it brings consistency across cloud-only, hybrid, and on-premises domains. Organizations with complex directory architectures, such as enterprises with Active Directory forests, Entra-only subsidiaries, or multi-tenant architectures, can centralize their passwordless strategy under a single platform without rewriting authentication workflows.
Additionally, SDO supports:
Windows Autopilot first-time login with no password prompts
SSO token issuance via standard federation protocols (including Primary Refresh Tokens for Intune and conditional access)
Cross-platform device support, including environments with Windows, macOS, and Linux endpoints
Fallback policies for break-glass accounts or conditional authentication logic
Phishing-resistant MFA methods that meet modern regulatory standards and eliminate credential theft risks
By operating natively within the WS-FED flow, Secret Double Octopus not only preserves your federation strategy, it future-proofs it.
Passwordless authentication is no longer just a buzzword, it’s a critical component of modern identity security. But achieving true passwordless authentication that works across all scenarios, device states, and directory architectures is something only a few platforms can deliver. Secret Double Octopus stands out by providing full support for cloud-only users in federated domains, offering online and offline authentication methods, and resolving major onboarding and usability gaps that are left unsolved by Microsoft’s native tooling. Below are real-world examples of how this platform solves key problems for IT teams and end users alike.
📦 Autopilot & First Login via WS-FED
If you prefer to see a video of this in action rather than reading, please click HERE to jump to the video. Otherwise, please click SHOW MORE below to expand the blog text to continue reading.
One of the most common stumbling blocks in a cloud transformation journey is the first-time login experience on a new Windows device. When using Microsoft Autopilot, users are prompted to authenticate before the device has been fully provisioned. In federated environments, this forces a password prompt, even for accounts that are intended to be passwordless.
Secret Double Octopus solves this elegantly. By acting as the WS-FED identity provider, SDO handles the initial authentication process during Autopilot setup without requiring a password. Users can log in for the first time using a mobile push notification or FIDO2 token, immediately triggering device provisioning and policy enrollment with Entra ID and Intune. The result: a passwordless onboarding experience that is seamless, secure, and scalable.
If you prefer to see a video of this in action rather than reading, please click HERE to jump to the video. Otherwise, please click SHOW MORE below to expand the blog text to continue reading.
Once a user has enrolled, the day-to-day login experience must remain frictionless, especially in environments with tight security and regulatory requirements.
FIDO2 security keys with biometric or PIN confirmation
Both options are available at the Windows login screen and through browser-based sign-ins to Microsoft 365 and other SaaS applications. Since SDO integrates into the federation process, it allows these modern MFA methods to function even in environments where Microsoft’s own options would otherwise be restricted due to WS-FED.
For administrators, policy controls can determine preferred methods, fallback order, and user-specific configuration to align with organizational needs or compliance mandates. These methods are considered phishing-resistant because they don’t rely on shared secrets. FIDO2 keys are hardware-bound and resistant to replay attacks, while mobile push approvals use secure out-of-band communication. This level of protection aligns with best practices defined by NIST (SP 800-63B) and CISA’s Zero Trust guidelines, making SDO a strong choice for organizations with strict compliance or audit requirements.
Many passwordless solutions fail when a device is offline, such as on a plane, in a field office, or behind a restrictive network. Traditional MFA methods often require cloud communication to validate a second factor.
Not Secret Double Octopus.
SDO supports full passwordless login even when the device has no internet connectivity. Offline authentication is made possible through locally validated FIDO2 keys and cached mobile push credentials (when configured). End users can unlock their devices and continue working securely without reverting to passwords or compromising security.
This is particularly valuable for:
Government and field service personnel
Healthcare professionals on mobile carts
Remote users in low-connectivity environments
Offline doesn’t mean insecure and SDO proves that.
👤 Creating Users in a Federated Entra ID Environment
If you prefer to see a video of this in action rather than reading, please click HERE to jump to the video. Otherwise, please click SHOW MORE below to expand the blog text to continue reading.
Organizations that have federated their Entra ID domain via WS-FED quickly discover a frustrating limitation: you can’t create cloud-only user accounts via the Microsoft 365 admin center. This makes onboarding new employees or contractors unnecessarily complex, often requiring workarounds like syncing from an on-premises AD or scripting via PowerShell and Graph API.
SDO removes this limitation.
By owning the authentication flow, Secret Double Octopus allows administrators to create and onboard users, even in federated tenants, without needing to provision a password. These users can immediately authenticate using passwordless methods such as mobile push or FIDO2, making it easy to support cloud-first strategies and reduce dependency on legacy directory infrastructure.
This functionality is particularly powerful for:
Organizations migrating off Active Directory
Subsidiaries or business units using only Entra ID
M&A transitions involving separate directory environments
See it in Action: Real-World Passwordless Workflows with Secret Double Octopus
To truly appreciate how Secret Double Octopus enhances authentication in Entra ID environments, watch the video below. This video shows a brand-new machine being joined to Entra ID, Autopilot deploying out the Octopus Desk credential provider and the end user never having to enter in a password. All authentications are secure and biometric based.
▶ Cloud-Only Account Creation with a Federated Domain
