- SCP from remote to local - Wed, May 31 2023
- Understanding Kubernetes Persistent Volumes - Mon, May 29 2023
- Pulseway 9.2: Remote monitoring with workflow automation - Thu, May 18 2023
The architecture of federated certificate-based authentication looks like the following, with AD FS sitting in the middle of the user's sign-in request and Microsoft Azure Active Directory.
The new Azure AD certificate-based authentication service eliminates AD FS from the equation and allows certificate-based logins to communicate directly with Azure Active Directory.
Pros and cons of Azure AD certificate-based authentication
AAD certificate-based authentication offers many benefits, both from a user's and administrator's point of view. These include:
- There is no additional infrastructure needed to support certificate-based authentication.
- 509 certificate-based authentication is arguably one of the strongest protections against phishing.
- It supports browser-based and Office client application logins.
- You can combine it with other Azure AD security protections, such as Conditional Access and MFA.
- It is a free Azure service.
- You do not need Active Directory Federation Services.
What are the limitations of Azure AD certificate-based authentication? There are a few to note, including:
- Customers need to configure their own public key infrastructure (PKI) and provision certificates to their users and devices.
- It does not support Certificate Authority hints.
- It does not support using smart cards with logins on Windows devices.
- Currently, there is no support for the Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs.
- You can't configure other certificate-to-user account bindings with Azure AD CBA.
- At this time, password authentication can't be disabled when CBA is enabled, and the option to sign in using a password is displayed.
How does Azure AD certificate-based authentication work?
Let's look at the logon process when Azure AD certificate-based authentication is enabled. When a user attempts to access an app protected by Azure AD certificate-based authentication, the flow is as follows:
- The user attempts to access a Microsoft Cloud SaaS application.
- If the user needs to sign in, they will be redirected to https://login.microsoftonline.com.
- The user logs into the Azure AD sign-in page.
- At this point, Azure AD checks to see whether Azure AD certificate-based authentication is enabled. If Azure AD certificate-based authentication is enabled, the user will see the following additional option in the login prompt:
- When the user clicks the Sign in with a certificate link, they are redirected to the certauth endpoint located at https://certauth.login.microsoftonline.com. This performs mutual authentication and requests the client certificate as part of the TLS handshake.
- Azure AD requests a client certificate, and the user picks the client certificate to use and clicks OK.
- Azure AD verifies that the certificate is not revoked and is valid. It then validates the certificate mapping between the certificate and the user account.
If the user is valid and has a conditional access policy assigned requiring MFA, the certificate may satisfy the MFA prompt, or another factor may be required, depending on how the policy is configured.
The sign-in process completes with Azure AD and sends a primary refresh token back to validate a successful sign-in.
The user can now successfully access the application link.
Where is Azure AD certificate-based authentication configured?
After uploading the root, intermediate, and issuer certificates and optional username binding, you can enable the feature in the Azure portal.
When signed in as the global administrator, you can enable and configure Azure AD certificate-based authentication here:
Click Azure Active Directory > Security > Authentication methods > Policies > Certificate-based Authentication > Basics. Then click On to enable certificate-based authentication.
As you can see below, certificate-based authentication in Azure AD is a configurable policy under the authentication methods profile.
Enabling Azure AD certificate-based authentication is a simple toggle, along with the targeted user configuration.
Wrapping up
The new Azure AD certificate-based authentication service simplifies authentication via certificate to access cloud-based applications.
Subscribe to 4sysops newsletter!
However, it has its limitations. For example, companies must have their own public key infrastructure (PKI), smart cards are not currently supported, and authentication via password remains active in parallel.