MagicEndpoint and Entra ID

  • Published on Feb 6, 2026
  • 1 minute(s) read
  • MR
  • VN
 Prev Next

MagicEndpoint Integration with Microsoft 365: Overview & Architecture

Summary

This article explains the architecture, authentication model, and components involved when deploying MagicEndpoint as a delegated Identity Provider (IdP) for Microsoft Entra ID using WS‑Federation and WS‑Trust.

What is MagicEndpoint?

MagicEndpoint (ME) is a hardware‑backed authentication system that uses TPM‑based attestation to authenticate users silently after Windows unlock. Using SES and SD IdP, MagicEndpoint can act as the authoritative IdP for a hybrid Active Directory and Entra environment.

Key Components

  • SecureDoc Enterprise Server (SES) — central server, database, and IdP configuration host

  • SD IdP — WS‑Fed/WS‑Trust IdP endpoint

  • MagicEndpoint Agent — provides TPM‑based hardware identity and silent SSO

  • Microsoft Entra ID — service provider (SP) consuming ME tokens

How Authentication Works

Imagine a diagram with four components: User Device → SD IdP → Entra ID → Microsoft 365.

  1. User unlocks Windows with PIN/biometric → ME establishes trust.

  2. User accesses a cloud app (e.g., Outlook, Teams).

  3. Entra ID redirects authentication to SD IdP (WS‑Fed or WS‑Trust).

  4. SD IdP performs hardware attestation.

  5. Signed assertion is returned to Entra ID.

  6. User gains access with no password prompts.

Security Considerations

  • Maintain two non‑federated .onmicrosoft.com global admin accounts

  • Ensure ImmutableID consistency

  • Validate ADFS remnants if migrating

  • Confirm TPM 2.0 readiness

  • Whitelist ME AAGUID in Entra FIDO2 policies

Best Practices

  • Sync attributes before enabling federation

  • Validate SSO on a small pilot before rollout

  • Monitor SES Web logs for attestation failures

  • Avoid self‑signed certificates

Related articles