Learn about Microsoft Entra CBA enhancements, like PKI-based certificate authority (CA) store.
Over the last year, we’ve seen many federal and regulated industry customers migrate from Active Directory Federation Services (AD FS) to Microsoft Entra ID seamlessly providing end users a familiar sign-in experience with Microsoft Entra certificate-based authentication (CBA). In fact, in the last 12 months, we’ve seen an over 1500% increase in phishing-resistant authentication for United States government customers.
As we continue our investments in the Microsoft Entra CBA, today I am excited to share the public preview of our latest enhancements:
- Certificate Revocation List (CRL) validation fail safe: Admins can strengthen the security by failing CBA authentication if the issuing certificate authority (CA) has no Certificate Revocation List (CRL).
- Enhanced PKI based certificate authority (CA) store: This enhancement removes any current size limitation and supports issuer hints at each CA level.
Let’s dig deeper!
Certificate Revocation List (CRL) validation fail safe
Certificate Revocation List (CRL) validation feature allows enterprises to fail CBA authentication when the issuing CA does not have a CRL configured. This helps a tenant admin to strengthen security and avoid misconfigurations by requiring CBA authentication to fail if no CRL is configured for a CA that issues an end user certificate.
A CA can be uploaded to the Microsoft Entra CA store without a CRL endpoint, and by default, Entra ID treats a CA without a CRL Distribution Point (CDP) as an administrator intentionally disabling CRL checking for that CA. The CRL validation feature allows a tenant admin to toggle the default behavior to fail CBA authentication if a CA is configured without CDP. To enable CRL validation, click Require CRL validation (recommended) and any CBA authentication will fail if the end user certificate was issued by a CA with no CRL configured.
Figure 1: Configuration to enable Certificate Revocation List validations
Administrators can also exempt specific CAs that do not need CRL validation. The CAs in the exempted list are not required to have CRL configured and the end-user certificates that they issue do not fail authentication. More info on CRL validation.
Enhanced PKI-based certificate authority (CA) store
Microsoft Entra has a new Public Key Infrastructure (PKI)-based CA store with higher limits for the number of CAs and the size of each CA file. The PKI-based CA store allows CAs within each different PKI to be in its own container object so admins can move away from one flat list of CAs to PKI-container-based CAs.
PKI-based CA store supports up to 250CAs, 8KB size for each CA and supports issuers hints at CA level. An admin can also upload the entire PKI and all the CAs using the upload PKI feature or create a PKI container and upload CAs individually.
Figure 2: Public-Key-Infrastructure-based certificate authority store
The tenant admin can also enable issuer hints for specific CAs by enabling the Issuer Hint attribute isIssuerHintEnabled flag. Microsoft Entra CBA will support both the old and new store for authentication, but it is recommended to configure PKI-based CA store for Entra CBA.
You can learn more about Microsoft Entra CBA here and Microsoft’s commitment to Executive Order 14028. We’re eager to hear your feedback as we work towards the general availability of these new enhancements.
What’s next
Keep your feedback coming at Microsoft Entra Community! We’re working diligently to bring more enhancements like the removal of limits on CRL, CBA support on the resource tenant for B2B external guest users, and iOS UX enhancements, to name some.
Thank you,
Nitika Gupta
Read more on this topic
- Check out CBA documentation
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft
