Imprivata Documentation | Imprivata Mobile Access Management (GroundControl) | Topic updated: June 04, 2025

Face Recognition as an Authentication Method

Applies to iOS and Android devices.

Imprivata Mobile Access Management supports face recognition as an authentication method for device check out, using the integration with Imprivata Enterprise Access Management as the identity provider.

Face Recognition Authentication Methods for Device Check Out

Some combinations of authentication factors available in Imprivata Enterprise Access Management are not supported by Mobile Access Management for device Check Out.

The following table illustrates the EAM primary and secondary authentication method selections and the resulting Check Out behaviors in MAM when used with face recognition.

Primary	Secondary	Device Check Out Behavior
Check Out is initiated by the user taking a device out of the Smart Hub
Face recognition	Password	User taps Unlock with password on the Imprivata Locker lock screen. User enters username and password. Imprivata Locker app prompts for face authentication. If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks. If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.
Check Out is initiated by the user tapping their proximity card on a Launchpad
Face recognition	Proximity Card	User taps their proximity card on the Launchpad's proximity card reader. The device is selected. Imprivata Locker lights up the device's display screen. Imprivata Locker app prompts for face authentication. If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks. If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.
Face recognition	Security Key or Imprivata PIN or Proximity Card	User taps their proximity card on the Launchpad's proximity card reader. The device is selected. Imprivata Locker lights up the device's display screen. Imprivata Locker app prompts for face authentication. If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks. If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.

Prerequisites

Take note of the following prerequisites:

Imprivata enabled the Check Out feature for your organization.
You have met the prerequisites for the Check Out and Password AutoFill features, including appropriate Imprivata licensing.
You configured the integration with Imprivata Enterprise Access Management as your identity provider (IdP).

Requirements

The Imprivata Cloud Connect service to your tenant on the Imprivata Cloud Platform must be up and running.
Users in a policy enabled for face recognition must be synced from Active Directory (AD) to Entra ID.
The cloud must be synced from AD to Entra ID with Entra Connect.
Users must already have their username and password enrolled with Imprivata Enterprise Access Management SSO, and they must have used their username and password against the Imprivata appliance at least once. This includes logging into their desktop, or logging into the Imprivata enrollment utility.
Internet access is required for facial biometric authentication.

If the device cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. In this scenario, the user can select another authentication method (password / Imprivata PIN, etc) to complete the authentication.

Imprivata Licensing: Face recognition authentication requires an Authentication Management license and a Confirm ID for Remote Access license.
Imprivata Locker app requirements:
- iOS — Imprivata Locker for iOS 4.0 or later.
- Android — Imprivata Locker for Android 2.0 or later.
- The user must grant access to the device's camera to use face recognition.

Additional Resources

For more information, see the Imprivata Enterprise Access Management online help.

Before You Begin

Face recognition authentication for MAM requires:

The Imprivata appliances in your Imprivata enterprise must be running Imprivata Enterprise Access Management 25.2 or later.

For more information on upgrading your Imprivata appliances, see the Imprivata Upgrade portal.
Complete the connection between your Imprivata enterprise and your tenant on the Imprivata Control Center. See Secure Connection to Imprivata Cloud Platform.

Secure Connection to Imprivata Cloud Platform

Configure the secure connection between your Imprivata appliance and the Imprivata Cloud Platform. To confirm whether this connection is complete, on the Imprivata Admin Console, see the Status panel on the right-hand side. Look for a green checkmark icon for Access Management integration.

Setup Wizard

Contact Imprivata Services. Services will create a Cloud Tenant for your enterprise, and send a Welcome email with a link to the Cloud Tenant Setup wizard. Click the link in the email and follow the wizard to complete the secure connection.

Before You Begin

You need a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).
You need access to your Imprivata Admin Console.

Wizarding Steps

The setup wizard leads you through the following steps:

Agree to the Data Processing Addendum
In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
On the Imprivata Access Management integration page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.

On this page, copy the Enterprise integration ID to your clipboard.
In the Cloud Tenant Setup Wizard, paste the Enterprise integration ID.
Click Create integration token and then Copy integration token.
In the Imprivata Admin Console > Imprivata Access Management integration page, paste the integration token, and click Integrate.
To enable SSO to the Imprivata Control Center using your SAML IdP: Before you leave this page, select Administrator console single sign-on using SAML
Copy the Imprivata SP metadata URL and provide it to your IdP.
NOTE:
- Sign On URL — https://access.imprivata.com
- Logout URL — copy your ACS URL, and replace /saml2/acs with /saml2/slo/redirect
- Recommended — Configure Group ID (rather than group name) as the source attribute for group claims.
Enter your IdP's SAML metadata in the wizard.
Configure the groups that identify users with administrative access.
Add your organization's business email address, user-facing name, and logo.

Configure Entra ID as The Identity Provider

In the Imprivata Admin Console > Imprivata Access Management integration page, paste the integration token, and click Integrate.
Before you leave this page, select Administrator console single sign-on using SAML
Copy the Imprivata SP metadata URL.

In the Entra app, select Microsoft Entra ID > Manage > Enterprise applications and select New application. Then select Create your own application.
Enter a display name for your new application, select Integrate any other application you don't find in the gallery, then select Create.
Go to Overview > Assign users and groups, and add users/groups.
Select Set up single sign-on.
Select SAML as the single sign-on method.
Click Upload metadata file and upload the Imprivata SP metadata file you created earlier.
For Basic SAML Configuration, provide the Sign on URL https://access.imprivata.com
For Logout Url, copy the Reply URL (Assertion Consumer Service URL) located higher up on the page and paste it, replacing /saml2/acs with /saml2/slo/redirect.
Click Save and close the Basic SAML Configuration applet
Under SAML Certificates, copy the App Federation Metadata Url.
Back in the Imprivata Setup Wizard, enter Entra's SAML IdP metadata URL in the wizard.
Click Continue, which will take you to a page to configure security groups for admin access.

The next section asks you to configure SAML group claims to authorize administrators. Admins can modify the SAML configuration and generate additional integration tokens later.

In the Entra app, click Attributes & Claims > Edit
Click Add a group claim if there isn’t one already.

Best Practice: use Group ID as the source attribute. Click Save.
Copy the claim name for groups from Entra ID
(for example, http://schemas.microsoft.com/ws/2008/06/identity/claims/groups)
In the Imprivata setup wizard > Identity Provider: Connect page, paste the claim name into the field for SAML attribute name.
In the Entra app, copy the Object ID for a group that should have administrator access to Imprivata.
In the Imprivata setup wizard > Identity Provider: Connect page, paste the Object ID for SAML attribute value. You can enter multiple groups separated by commas.
In the Imprivata setup wizard, click Continue.

Add your organization's business email address, user-facing name, and logo.
Click Continue to complete the wizard.
Click Go to access.imprivata.com to test your expected workflow for accessing the Imprivata Control Center.
At the login screen, enter an email address with the same domain you configured in the setup wizard, and click Continue.

You will be redirected to your Entra ID login screen.
After authenticating with Entra ID, you will be redirected to your Imprivata Control Center.

Optional — Manual Setup

You can also create the secure connection manually, after Imprivata Services has created a Cloud Tenant for your enterprise.

If you configured your SAML IdP, but did not complete the steps from the Cloud Tenant Setup Wizard to connect your Imprivata enterprise, you can still generate an integration token by logging into the Imprivata Cloud Platform from access.imprivata.com.

Before you begin, in the Imprivata Admin Console > Imprivata cloud services status panel, Access Management integration is "greyed out".

In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
On the Imprivata Access Management page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.

On this page, copy the Enterprise integration ID to your clipboard.
Leave this console open, and in a separate browser window, log into the Imprivata Cloud Platform.
On the gear icon > Integrations tab, paste the Enterprise integration ID, and click Create integration token.
After the token appears onscreen, click Copy integration token.
Return to the Imprivata Admin Console > Imprivata Access Management page, and paste the integration token in the field provided, and click Integrate.

When successful, the status message will read Integrated with Imprivata Access Management tenant, and your tenant ID is displayed. The Imprivata cloud services status panel on the Imprivata Admin Console also shows the new integration.

NOTE:
This integration applies to every appliance in the enterprise.

NOTE:
If you need to connect additional enterprises to this cloud tenant, or re-establish this connection, return to the Integrations tab to create an integration token again.

Stopping and Restarting This Connection

You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).

In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.
Imprivata Cloud Connect status is either Running or Disabled (stopped).
Select Stop/restart options.
Select from:
- Stop Imprivata Cloud Connect on this appliance
- Restart Imprivata Cloud Connect on this appliance
- Stop Imprivata Cloud Connect on all appliances
- Restart Imprivata Cloud Connect on all appliances
  
  NOTE:
  In this context, "Restart" means "start this stopped connection" and also "restart this connection that is already running".
Click Go.

Configure Microsoft Entra ID

Step 1: Add Imprivata Cloud IP addresses to Entra ID

Go to Microsoft Entra ID > Manage > Security, and select Manage > Named locations.
Select IP ranges location.
Enter a name for the new location ("Imprivata Cloud", for example) and select Mark as trusted location.
Add the following IP addresses:
- 44.207.16.175/32
- 44.196.189.191/32
- 34.195.47.118/32

Click Save.

Step 2: Optional — Add Imprivata to Trusted Per-user MFA

If you use "per-user" multifactor authentication, then add the Imprivata Cloud Platform to the "per-user" MFA trusted IPs:

Go to Entra ID Overview > Manage > Users, and select Per-user multifactor authentication
Select the Service settings tab.
Add the same IP addresses from the Trusted Locations field, above:
- 44.207.16.175/32
- 44.196.189.191/32
- 34.195.47.118/32
Click Save.

Configure Enterprise Access Management

Step 1: Cloud Tenant Setup

Click Get Started, then Continue. At the Connect Entra ID step, copy the Tenant ID from your Entra ID portal.
Enter the Tenant ID in the wizard, and click Continue to Entra ID Authentication.
You will be redirected to a Microsoft login. Log in as someone with Global Administrator or Privileged Role Administrator privileges.
You will be prompted to authorize Imprivata’s verified application with the following permissions:
- Read all groups
- Read all users’ full profiles
- Read all group memberships
- Sign in and read user profile
Click Accept to grant Imprivata Cloud access to the Entra ID tenant.

Step 2: Optional — Include Home Realm Discovery Policy

This step is needed if you are using federated authentication. The Imprivata Cloud Platform must be able to validate user passwords when typed in. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This will only apply to authentication calls made by the Imprivata Astra Azure AD Sync application.

To create and apply the Home Realm Discovery policy:

Log in to Microsoft Graph Explorer. To make it more secure, log in as the Global Administrator.
Consent to the Microsoft Graph explorer application in your tenant.

For more information, see the Microsoft Graph API documentation.

Create a home realm discovery policy by making the following HTTP request:

POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies

Request body

In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:

Copy

    {
                            "displayName": "yourPolicyName",
                            "definition": [
                            "{\"HomeRealmDiscoveryPolicy\": 
                            {\"AllowCloudPasswordValidation\":true, } }"
                            ],
                            "isOrganizationDefault": false
                        }

Response

If successful, this method returns a 201 Created response code and a new homeRealmDiscoveryPolicy object in the response body.

Example Response

Copy

{
                        "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
                        "value": [
                        {
                        "id": "239cbead-1111-654a-9f50-1467d691aaa",
                        "deletedDateTime": null,
                        "definition": [
                        "{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
                        ],
                        "displayName": "Exclude Federated Authentication ",
                        "isOrganizationDefault": false
                        }
                        ]
                    }

Assign the home realm discovery policy to the Imprivata Astra Azure AD Sync application by making the following HTTP request:

POST - https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Astra Azure AD Sync application object id>/homeRealmDiscoveryPolicies/$ref

Request body

In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.
Copy
```
{
                        "@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
                    }
```
Response

If successful, this method returns a 204 No Content response code.

Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:

GET - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo

Response

Copy

{
                        "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
                        "value": [
                        {
                        "@odata.type": "#microsoft.graph.servicePrincipal",
                        "id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",

                    ...

Step 3: Secure Connection to Imprivata Cloud Platform

In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
On the Imprivata Access Management page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.

On this page, copy the Enterprise integration ID to your clipboard.
Leave this console open, and in a separate browser window, log into the Imprivata Cloud Platform.
On the Settings > System page, go to Enterprise Access Management integration, paste the Enterprise integration ID, and click Create integration token.
After the token appears onscreen, click Copy integration token.
Return to the Imprivata Admin Console > Imprivata Access Management page, and paste the integration token in the field provided, and click Integrate.

When successful, the status message will read Integrated with Imprivata Access Management tenant, and your tenant ID is displayed. The Imprivata cloud services status panel on the Imprivata Admin Console also shows the new integration.

NOTE:
This integration applies to every appliance in the enterprise.

Step 4: User Policy Setup

In the Enterprise Access Management Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication section.
Select Face recognition as a primary factor.
Select a second factor for Face recognition:
- no second factor
- Security Key
- Imprivata PIN
- Password
- Proximity Card
- Security Key or Imprivata PIN or Proximity Card
  
  Click to enlarge
Select another primary factor if needed. For example, if users in this policy must authenticate via password where Face recognition authentication is not available.
Click Save.

Step 6: Confirm the EAM Computer Policy is Enabled for Proximity Card

Mobile Access Management organizations with Check Out using EAM as the Identity provider (IdP) create a host (computer) in EAM for every Launchpad registered. That computer in EAM gets a computer policy which must have a proximity card enabled to be able to perform a checkout with a proximity card tap.

Confirm that there is no override in the computer policy that the Launchpads are assigned to.
Confirm that the user policies your mobile users are assigned to allow proximity cards as a primary factor.

If both of the above conditions are true, no changes are needed. However, if an override is already enabled within the computer policy the Launchpads are in, ensure that Proximity Card is allowed in the override. If this is not possible or allowed for your organization, Imprivata suggests moving the Launchpads into a separate computer policy.

If you've performed the validations above, and computer policy changes are indeed needed for your environment, follow these steps.

In the Imprivata Admin Console, go to Computers > Computer policies and select the computer policy your Launchpad is using.
In Override and Restrict tab > Desktop Access Authentication Restrictions section, make sure that the option for Proximity Card is selected (enabled).

Click to enlarge