Certificate-based authentication is an extremely robust and secure mechanism for validating a user's identity. However, until recently, you had to deploy Active Directory Federation Services (AD FS) to make it available for Azure AD. Microsoft has recently introduced an Azure AD certificate-based authentication service (Azure CBA), which significantly simplifies implementing certificate-based authentication.
Latest posts by Brandon Lee (see all)

The architecture of federated certificate-based authentication looks like the following, with AD FS sitting in the middle of the user's sign-in request and Microsoft Azure Active Directory.

Certificate based authentication using Active Directory Federation Services (AD FS)

Certificate based authentication using Active Directory Federation Services (AD FS)

The new Azure AD certificate-based authentication service eliminates AD FS from the equation and allows certificate-based logins to communicate directly with Azure Active Directory.

Azure Active Directory certificate based authentication

Azure Active Directory certificate based authentication

Pros and cons of Azure AD certificate-based authentication

AAD certificate-based authentication offers many benefits, both from a user's and administrator's point of view. These include:

  • There is no additional infrastructure needed to support certificate-based authentication.
  • 509 certificate-based authentication is arguably one of the strongest protections against phishing.
  • It supports browser-based and Office client application logins.
  • You can combine it with other Azure AD security protections, such as Conditional Access and MFA.
  • It is a free Azure service.
  • You do not need Active Directory Federation Services.

What are the limitations of Azure AD certificate-based authentication? There are a few to note, including:

  • Customers need to configure their own public key infrastructure (PKI) and provision certificates to their users and devices.
  • It does not support Certificate Authority hints.
  • It does not support using smart cards with logins on Windows devices.
  • Currently, there is no support for the Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs.
  • You can't configure other certificate-to-user account bindings with Azure AD CBA.
  • At this time, password authentication can't be disabled when CBA is enabled, and the option to sign in using a password is displayed.

How does Azure AD certificate-based authentication work?

Let's look at the logon process when Azure AD certificate-based authentication is enabled. When a user attempts to access an app protected by Azure AD certificate-based authentication, the flow is as follows:

  1. The user attempts to access a Microsoft Cloud SaaS application.
  2. If the user needs to sign in, they will be redirected to https://login.microsoftonline.com.
  3. The user logs into the Azure AD sign-in page.
  4. At this point, Azure AD checks to see whether Azure AD certificate-based authentication is enabled. If Azure AD certificate-based authentication is enabled, the user will see the following additional option in the login prompt:

    Choosing the sign in with certificate option

    Choosing the sign in with certificate option

  1. When the user clicks the Sign in with a certificate link, they are redirected to the certauth endpoint located at https://certauth.login.microsoftonline.com. This performs mutual authentication and requests the client certificate as part of the TLS handshake.
  2. Azure AD requests a client certificate, and the user picks the client certificate to use and clicks OK.
  3. Azure AD verifies that the certificate is not revoked and is valid. It then validates the certificate mapping between the certificate and the user account.
    If the user is valid and has a conditional access policy assigned requiring MFA, the certificate may satisfy the MFA prompt, or another factor may be required, depending on how the policy is configured.
    The sign-in process completes with Azure AD and sends a primary refresh token back to validate a successful sign-in.

The user can now successfully access the application link.

Where is Azure AD certificate-based authentication configured?

After uploading the root, intermediate, and issuer certificates and optional username binding, you can enable the feature in the Azure portal.

Steps to activate certificate based authentication

Steps to activate certificate based authentication

When signed in as the global administrator, you can enable and configure Azure AD certificate-based authentication here:

Click Azure Active Directory > Security > Authentication methods > Policies > Certificate-based Authentication > Basics. Then click On to enable certificate-based authentication.

As you can see below, certificate-based authentication in Azure AD is a configurable policy under the authentication methods profile.

Navigating to enable certificate based authentication

Navigating to enable certificate based authentication

Enabling Azure AD certificate-based authentication is a simple toggle, along with the targeted user configuration.

Enabling Azure AD certificate based authentication

Enabling Azure AD certificate based authentication

Wrapping up

The new Azure AD certificate-based authentication service simplifies authentication via certificate to access cloud-based applications.

Subscribe to 4sysops newsletter!

However, it has its limitations. For example, companies must have their own public key infrastructure (PKI), smart cards are not currently supported, and authentication via password remains active in parallel.

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account