Blog Post

Microsoft Entra Blog

3 MIN READ

Azure AD Certificate-Based Authentication now in Public Preview

Alex_Simons

Microsoft

Feb 14, 2022

Howdy folks,

Today I'm very excited to announce the public preview of Azure Active Directory certificate-based authentication (Azure AD CBA) across our commercial and US Government clouds!

In May of 2021, the President issued Executive Order 14028, Improving the Nation’s Cybersecurity calling for the Federal Government to modernize and adopt a Zero Trust architecture including phish resistant multi-factor authentication (MFA) for employees, business partners, and vendors.

“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
– President Biden, Executive Order 14028

Based on our experience working with Government customers, PIV/CAC cards are the most common authentication method used within the Federal Government.

While valuable for all customers, the ability to use X.509 certificate for authentication directly against Azure AD is particularly critical for Federal Government organizations using PIV/CAC cards and looking to easily comply with the Executive Order 14028 requirements.

Vimala Ranganathan, Product Manager on our Identity Security team, will walk you through the details.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Corporate Vice President Program Management
Microsoft Identity Division

----------------------------------------------------------------------------------------------------------

Hi everyone,

I’m Vimala from the Identity PM team and I am excited to walk you through Azure AD CBA.

As part of our commitment to the US Cybersecurity Executive Order, Azure AD CBA helps Government customers easily meet phishing-resistant MFA authentication using the PIV/CAC cards. Azure AD users can authenticate using X.509 certificates on their smartcards or devices directly against Azure AD for browser and application sign-in.

Key benefits include:

Higher security with phish resistant certificate-based authentication (the majority of the identity attacks are related to passwords)
Easily meet the Executive Order 14028 requirements for phish resistant MFA
Eliminate costs and risks associated with on-premises federation infrastructure
Simplified management experience in Azure AD with granular controls

SAP has been a great partner on the Azure AD CBA journey and provided feedback that was critical to shaping the public preview today!

“CBA is historical in the heart of SAP Products. Certificate Based Auth is in use at SAP since 1999 and has been migrated and adopted multiple times, having these capabilities natively in Azure AD also allows us in the long run to retire our ADFS where Azure AD is the last Federation endpoint we still have.” - Sven Frank, identity architect at SAP

What is Azure AD Certificate-Based Authentication (Azure AD CBA)?

As you might be aware, authentication using X.509 certificates against Azure AD used to require a federated identity provider (IdP) such as AD FS. With the Azure AD CBA Public Preview today, customers will be able to authenticate directly against Azure AD without the need for a federated IdP.

Figure 1: Simplified Architecture

Certificate-based authentication method management

The picture below shows the steps for an admin to enable CBA.

Check out our public documentation to learn more: http://aka.ms/AADCBA

End-User Experience

As an end-user, once you type in the User Principal Name (UPN), you will see the “Sign in with a certificate” link on the password screen.

Figure 2: Sign in with a certificate

You will be prompted to select the correct client certificate and that’s it – you will get authenticated to the application.

Note: If CBA is enabled on the tenant, all users in the tenant will see the link to ‘Sign in with a certificate’ on the sign-in page. However, only the users in scope for CBA will be able to authenticate successfully against Azure AD and the rest will see a failure.

What’s next

We're working on more great features like Windows smart card logon, CBA as a second factor of authentication, removal of limits on trusted issuer list, and Certificate Revocation List (CRL).

As always, please keep the feedback loop open by reaching us at Azure Active Directory Community!

You can learn more about Microsoft’s commitment to Executive Order 14028 here.

Thanks,

Vimala

Learn more about Microsoft identity:

Related Articles: http://aka.ms/AADCBA
Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn
Share product suggestions on the Azure Feedback Forum

Updated Feb 11, 2022

Version 1.0

Alex_Simons

Microsoft

Joined May 01, 2017

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

29 Comments

testuser7
Brass Contributor
Mar 17, 2022
If I have 2 certificates in my Personal-store on Windows 10 box and I have also inserted CAC-card in the device, will I be shown all 3 certs to pick from while authenticating with Azure-AD ?
If the CAC-card is asking PIN, I believe it will be taken care off.

Can I do this CBA work from any device i.e., the device which is NOT AADJ/HAADJ or even register with AAD ??

And the last point which may not be right for this thread but let me ask anyway.
If I have logged into AVD (Azure Virtual Desktop) Session-host, can I use the certificates of my Personal-store and the CAC-card that is inserted on the physical laptop for accessing any app on the browser of AVD-session-host ??
(assuming I am using everything latest i.e., windows 11, thick AVD-client)

Thanks.
Plenzke
Microsoft
Mar 15, 2022
Hi bindaasbadshah,

In your setup you, are already on managed authentication and not using federated auth which is great! You can add Azure AD CBA to your setup and it will provide your users additionally the ability to use a smartcard or certificate to authenticate against Azure AD. You can add Azure AD CBA without changing the current setup. And you don´t need hybrid Azure AD joined devices. It will work just fine in Azure AD joined machines.

Peter
bindaasbadshah
Copper Contributor
Mar 15, 2022
Thanks for this very timely enablement of service.

Please shed some light of the effect if AzureAD CBA turned for the environment which is currently setup of Windows 10 21H2 with AzureAD Registered, Seamless SSO + PTA and PHS. Does any change require to this setup to facilitate AzureAD CBA?

Does AzureAD CBA required Hybrid AzureAD joining, given that organization has onpremAD as well?
Julien92
Copper Contributor
Feb 24, 2022
I can't wait to see CBA as a second factor of authentication !
Sven Frank
Copper Contributor
Feb 23, 2022
M-F-L You can the staged migration is completly working we actually made an access package out of it and people can move between "old world / new world" back and forth at least for the early adaptors.
Plenzke
Microsoft
Feb 21, 2022
Hi folks, here are some answers to your questions. Let me know if there are more questions.

M-F-L Yes you can use staged rollout for CBA as well. Today you would have to enable PHS or PTA in order to activate staged rollout. But we are working on a CBA only way for staged rollout too in case you cannot or don´t want to enable PHS or PTA. For native CBA, it doesn´t matter how you do staged rollout.

EddieMIT Yes we are working on such scenario for a potential public preview refresh later this year. So stay tuned for amazing updates on cloud native CBA in the next months.

Thx Peter
EddieMIT
Copper Contributor
Feb 17, 2022
There seems to be two limitations that prevent CBA use by DoD. 1) DoD PIV certs include a SAN with a format of 16-digit@mil so CBA seems to require an email address associated with the tenant domain name. 2) DoD CRL are large and getting larger. Currently, there are 2 DoD CRL's that are 75K and 55K. Anyway, around these issues?
Kjetil Smith
Bronze Contributor
Feb 17, 2022
Hi Alex,

Could we make this even more secure and base it on more modern concepts than a golden ticket or certificate; especially if you’re not using your ace: the 'pluton' chip. Even though we do have your full Conditional Access concepts including your MFA factores we together can do better, though we and our customers/clients are tenants in the clouds and just love to be even more secure; we own our data and are responsible if it's being misused. I'll send your team some suggestions regarding some work I have done for some clients; making it easier for governments and public sector to stay in the future secure. Love if we could also deliver some improvements the other way, not only up but also down..

Best regards
MrSmith

BTW:
Just a small sweet (external) identities dream to open up, not the security, but to allow even more secure concepts in the main tenant (B2B); at least for the customer owned applications, the E(nterprise)App's.
M-F-L
Copper Contributor
Feb 16, 2022
This is great news for our org as we need to stick with CBA but have challenges managing an ADFS + proxies infra. If we currently have a domain setup with ADFS, is there any way to granulalry switch users to cloud-based CBA? something like staged rollout for CBA maybe? Thank you!