Azure AD Certificate-Based Authentication now in Public Preview

Published Feb 14 2022 12:00 PM 35.9K Views

Howdy folks, 

Today I'm very excited to announce the public preview of Azure Active Directory certificate-based authentication (Azure AD CBA) across our commercial and US Government clouds!

In May of 2021, the President issued Executive Order 14028, Improving the Nation’s Cybersecurity calling for the Federal Government to modernize and adopt a Zero Trust architecture including phish resistant multi-factor authentication (MFA) for employees, business partners, and vendors.

“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
– President Biden, Executive Order 14028

Based on our experience working with Government customers, PIV/CAC cards are the most common authentication method used within the Federal Government.

While valuable for all customers, the ability to use X.509 certificate for authentication directly against Azure AD is particularly critical for Federal Government organizations using PIV/CAC cards and looking to easily comply with the Executive Order 14028 requirements.

 

Vimala Ranganathan, Product Manager on our Identity Security team, will walk you through the details.

Best Regards, 

Alex Simons (Twitter: @Alex_A_Simons) 

Corporate Vice President Program Management 
Microsoft Identity Division 

 

----------------------------------------------------------------------------------------------------------

 

Hi everyone,

 

I’m Vimala from the Identity PM team and I am excited to walk you through Azure AD CBA.

 

As part of our commitment to the US Cybersecurity Executive Order, Azure AD CBA helps Government customers easily meet phishing-resistant MFA authentication using the PIV/CAC cards. Azure AD users can authenticate using X.509 certificates on their smartcards or devices directly against Azure AD for browser and application sign-in.

 

Key benefits include:

  • Higher security with phish resistant certificate-based authentication (the majority of the identity attacks are related to passwords)
  • Easily meet the Executive Order 14028 requirements for phish resistant MFA
  • Eliminate costs and risks associated with on-premises federation infrastructure
  • Simplified management experience in Azure AD with granular controls

SAP has been a great partner on the Azure AD CBA journey and provided feedback that was critical to shaping the public preview today!

 

“CBA is historical in the heart of SAP Products. Certificate Based Auth is in use at SAP since 1999 and has been migrated and adopted multiple times, having these capabilities natively in Azure AD also allows us in the long run to retire our ADFS where Azure AD is the last Federation endpoint we still have.” - Sven Frank, identity architect at SAP

 

What is Azure AD Certificate-Based Authentication (Azure AD CBA)? 

As you might be aware, authentication using X.509 certificates against Azure AD used to require a federated identity provider (IdP) such as AD FS. With the Azure AD CBA Public Preview today, customers will be able to authenticate directly against Azure AD without the need for a federated IdP.     

  Figure 1: Simplified ArchitectureFigure 1: Simplified Architecture

 

Certificate-based authentication method management

The picture below shows the steps for an admin to enable CBA.

Method management.png

 

Check out our public documentation to learn more: http://aka.ms/AADCBA

 

End-User Experience 

As an end-user, once you type in the User Principal Name (UPN), you will see the “Sign in with a certificate” link on the password screen.

 

Figure 2: Sign in with a certificateFigure 2: Sign in with a certificate

 

You will be prompted to select the correct client certificate and that’s it – you will get authenticated to the application.

 

Note: If CBA is enabled on the tenant, all users in the tenant will see the link to ‘Sign in with a certificate’ on the sign-in page. However, only the users in scope for CBA will be able to authenticate successfully against Azure AD and the rest will see a failure.

 

What’s next 

We're working on more great features like Windows smart card logon, CBA as a second factor of authentication, removal of limits on trusted issuer list, and Certificate Revocation List (CRL).

 

As always, please keep the feedback loop open by reaching us at Azure Active Directory Community!

 

You can learn more about Microsoft’s commitment to Executive Order 14028 here.  

 

Thanks,

Vimala


Learn more about Microsoft identity:

16 Comments
%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-2464390%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EAzure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-2464390%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3EHowdy%20folks%2C%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EToday%20I%20am%20very%20excited%20to%20announce%20the%20public%20preview%20of%20Azure%20Active%20Directory%20certificate-based%20authentication%20(%3CSTRONG%3EAzure%20AD%20CBA%26lt%3B%5C%2FSTRONG%26gt%3B)%20across%20our%20commercial%20and%20US%20Government%20clouds!%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIn%20May%20of%202021%2C%20the%20President%20issued%20%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fwww.whitehouse.gov%2Fbriefing-room%2Fpresidential-actions%2F2021%2F05%2F12%2Fexecutive-order-on-improving-the-nations-cybersecurity%2F%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3EExecutive%20Order%2014028%2C%20%3CEM%3EImproving%20the%20Nation%E2%80%99s%20Cybersecurity%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FA%26gt%3B%20calling%20for%20the%20Federal%20Government%20to%20modernize%20and%20adopt%20a%20Zero%20Trust%20architecture%20including%20phish%20resistant%20multi-factor%20authentication%20(MFA)%20for%20employees%2C%20business%20partners%2C%20and%20vendors.%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FEM%3E%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3Blia-align-center%5C%26quot%3B%22%3E%3CEM%3E%E2%80%9CIncremental%20improvements%20will%20not%20give%20us%20the%20security%20we%20need%3B%20instead%2C%20the%20Federal%20Government%20needs%20to%20make%20bold%20changes%20and%20significant%20investments%20in%20order%20to%20defend%20the%20vital%20institutions%20that%20underpin%20the%20American%20way%20of%20life.%E2%80%9D%20%3CBR%20%2F%3E%26lt%3B%5C%2FEM%26gt%3B%E2%80%93%20President%20Biden%2C%20Executive%20Order%2014028%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FEM%3E%3C%2FP%3E%3CP%3EBased%20on%20our%20experience%20working%20with%20Government%20customers%2C%20PIV%2FCAC%20cards%20are%20the%20most%20common%20authentication%20method%20used%20within%20the%20Federal%20Government.%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EWhile%20valuable%20for%20all%20customers%2C%20the%20ability%20to%20%3CSTRONG%3Euse%20X.509%20certificate%20for%20authentication%20directly%20against%20Azure%20AD%26lt%3B%5C%2FSTRONG%26gt%3B%20is%20particularly%20critical%20for%20Federal%20Government%20organizations%20using%20%3CSTRONG%3EPIV%2FCAC%20cards%26lt%3B%5C%2FSTRONG%26gt%3B%20and%20looking%20to%20easily%20comply%20with%20the%20Executive%20Order%2014028%20requirements.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EVimala%20Ranganathan%2C%20Product%20Manager%20on%20our%20Identity%20Security%20team%2C%20will%20walk%20you%20through%20the%20details.%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%3EBest%20Regards%2C%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAlex%20Simons%20(Twitter%3A%E2%80%AF%26lt%3B%5C%2FSPAN%26gt%3B%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Ftwitter.com%2Falex_a_simons%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3E%3CSPAN%3E%40Alex_A_Simons%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FA%26gt%3B%3CSPAN%3E)%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECorporate%20Vice%20President%20Program%20Management%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3EMicrosoft%20Identity%20Division%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E----------------------------------------------------------------------------------------------------------%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EHi%20everyone%2C%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EI%E2%80%99m%20Vimala%20from%20the%20Identity%20PM%20team%20and%20I%20am%20excited%20to%20walk%20you%20through%20Azure%20AD%20CBA.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20part%20of%20our%20commitment%20to%20the%20US%20Cybersecurity%20Executive%20Order%2C%20Azure%20AD%20CBA%20helps%20Government%20customers%20easily%20meet%20phishing-resistant%20MFA%20authentication%20using%20the%20PIV%2FCAC%20cards.%20Azure%20AD%20users%20can%20authenticate%20using%26nbsp%3BX.509%20certificates%20on%20their%20smartcards%20or%20devices%20%3CEM%3Edirectly%20against%20Azure%20AD%20%26lt%3B%5C%2FEM%26gt%3Bfor%20browser%20and%20application%20sign-in.%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EKey%20benefits%20include%3A%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CUL%3E%5Cn%3CLI%3E%3CSPAN%3EHigher%20security%20with%20phish%20resistant%20certificate-based%20authentication%20(majority%20of%20the%20identity%20attacks%20are%20related%20to%20passwords)%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EEasily%20meet%20the%20Executive%20Order%2014028%20requirements%20for%20phish%20resistant%20MFA%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EEliminate%20costs%20and%20risks%20associated%20with%20on-premises%20federation%20infrastructure%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ESimplified%20management%20experience%20in%20Azure%20AD%20with%20granular%20controls%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%26lt%3B%5C%2FUL%26gt%3B%5Cn%3CP%3E%3CSPAN%3ESAP%20has%20been%20a%20great%20partner%20on%20the%20Azure%20AD%20CBA%20journey%20and%20provided%20feedback%20that%20was%20critical%20to%20shaping%20the%20public%20preview%20today!%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3Blia-align-center%5C%26quot%3B%22%3E%3CSPAN%3E%3CEM%3E%E2%80%9CCBA%20is%20historical%20in%20the%20heart%20of%20SAP%20Products.%20Certificate%20Based%20Auth%20is%20in%20use%20at%20SAP%20since%201999%20and%20has%20been%20migrated%20and%20adopted%20multiple%20times%2C%20having%20these%20capabilities%20natively%20in%20Azure%20AD%20also%20allows%20us%20in%20the%20long%20run%20to%20retire%20our%20ADFS%20where%20Azure%20AD%20is%20the%20last%20Federation%20endpoint%20we%20still%20have.%E2%80%9D%20%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E-%20Sven%20Frank%2C%20identity%20architect%20at%20SAP%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EWhat%20is%20Azure%20AD%20Certificate-Based%20Authentication%20(Azure%20AD%20CBA)%3F%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20you%20might%20be%20aware%2C%20authentication%20using%26nbsp%3BX.509%20certificates%20against%20Azure%20AD%20used%20to%20require%20a%20federated%20identity%20provider%20(IdP)%20such%20as%20AD%20FS.%20With%20the%20Azure%20AD%20CBA%20Public%20Preview%20today%2C%20customers%20will%20be%20able%20to%20authenticate%20directly%20against%20Azure%20AD%20without%20the%20need%20for%20a%20federated%20IdP.%20%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347346iF870BBA78DA5D5BC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Architecture%201.png%22%201.png%3D%22%22%20alt%3D%22Figure%201%3A%20Simplified%20Architecture%22%20%2F%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-caption%5C%26quot%3B%22%20onclick%3D%22%5C%26quot%3Bevent.preventDefault()%3B%5C%26quot%3B%22%3EFigure%201%3A%20Simplified%20Architecture%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2Fspan%26gt%3B%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347351i0652CF8168BAE750%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Arrow.png%22%20alt%3D%22%5C%26quot%3BArrow.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347348i8068490E0D86F427%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Architecture%202.png%22%202.png%3D%22%22%20alt%3D%22Architecture%202.png%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3ECertificate-based%20authentication%20method%20management%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20picture%20below%20shows%20the%20steps%20for%20an%20admin%20to%20enable%20CBA.%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347353i357AAEA380222C1E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Method%20management.png%22%20management.png%3D%22%22%20alt%3D%22Method%20management.png%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%3ECheck%20out%20our%20public%20documentation%20to%20learn%20more%3A%20%26lt%3B%5C%2FSPAN%26gt%3B%3CA%20href%3D%22%5C%26quot%3Bhttp%3A%2F%2Faka.ms%2FAADCBA%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3Ehttp%3A%2F%2Faka.ms%2FAADCBA%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CEM%3E%26nbsp%3B%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EEnd-User%20Experience%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20an%20end-user%2C%20once%20you%20type%20in%20the%20User%20Principal%20Name%20(UPN)%2C%20you%20will%20see%20the%20%E2%80%9CSign%20in%20with%20a%20certificate%E2%80%9D%20link%20on%20the%20password%20screen.%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20id%3D%22%5C%26quot%3BtinyMceEditorsmoorhead_4%5C%26quot%3B%22%20class%3D%22%5C%26quot%3BmceNonEditable%22%20lia-copypaste-placeholder%3D%22%22%3E%26nbsp%3B%26lt%3B%5C%2FDIV%26gt%3B%5Cn%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347343i05F84138B1F5443C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22smoorhead_3-1644592456401.png%22%20alt%3D%22%5C%26quot%3BFigure%22%20%2F%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-caption%5C%26quot%3B%22%20onclick%3D%22%5C%26quot%3Bevent.preventDefault()%3B%5C%26quot%3B%22%3EFigure%202%3A%20Sign%20in%20with%20a%20certificate%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EYou%20will%20be%20prompted%20to%20select%20the%20correct%20client%20certificate%20and%20that%E2%80%99s%20it%20%E2%80%93%20you%20will%20get%20authenticated%20to%20the%20application.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ENote%3A%20If%20CBA%20is%20enabled%20on%20the%20tenant%2C%20all%20users%20in%20the%20tenant%20will%20see%20the%20link%20to%26nbsp%3B%E2%80%98Sign%20in%20with%20a%20certificate%E2%80%99%26nbsp%3Bon%20the%20sign-in%20page.%20However%2C%20only%20the%20users%20in%20scope%20for%20CBA%20will%20be%20able%20to%20authenticate%20successfully%20against%20Azure%20AD%20and%20the%20rest%20will%20see%20a%20failure.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EWhat%E2%80%99s%20next%E2%80%A6%26nbsp%3B%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20are%20working%20on%20more%20great%20features%20like%20Windows%20smart%20card%20logon%2C%20CBA%20as%20a%20second%20factor%20of%20authentication%2C%20removal%20of%20limits%20on%20trusted%20issuer%20list%2C%20and%20Certificate%20Revocation%20List%20(CRL).%20%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20always%2C%20please%20keep%20the%20feedback%20loop%20open%20by%20reaching%20us%20at%20%26lt%3B%5C%2FSPAN%26gt%3B%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Ffeedback.azure.com%2Fd365community%2Fforum%2F22920db1-ad25-ec11-b6e6-000d3a4f0789%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3EAzure%20Active%20Directory%20Community%26lt%3B%5C%2FA%26gt%3B%3CSPAN%3E!%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%3EYou%20can%20learn%20more%20about%20Microsoft%E2%80%99s%20commitment%20to%20%26lt%3B%5C%2FSPAN%26gt%3B%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Ffederal%2FCyberEO.aspx%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3E%3CSPAN%3EExecutive%20Order%2014028%20here%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FA%26gt%3B%3CSPAN%3E.%26nbsp%3B%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%2C%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EVimala%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CUL%3E%5Cn%3CLI%3E%3CEM%3ERelated%20Articles%3A%20%26lt%3B%5C%2FEM%26gt%3B%3CSPAN%3Eaka.ms%2Faadcba%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EReturn%20to%20the%20%26lt%3B%5C%2FEM%26gt%3B%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CEM%3EAzure%20Active%20Directory%20Identity%20blog%20home%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FEM%3E%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CEM%3E%3CEM%3EJoin%20the%20conversation%20on%20%26lt%3B%5C%2FEM%26gt%3B%3C%2FEM%3E%3C%2FEM%3E%3C%2FA%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3E%3CEM%3ETwitter%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FA%26gt%3B%3CEM%3E%20and%20%26lt%3B%5C%2FEM%26gt%3B%3C%2FEM%3E%3C%2FEM%3E%3C%2FA%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3E%3CEM%3ELinkedIn%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FEM%3E%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3E%3CEM%3E%3CEM%3EShare%20product%20suggestions%20on%20the%20%26lt%3B%5C%2FEM%26gt%3B%3C%2FEM%3E%3C%2FEM%3E%3C%2FA%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Ffeedback.azure.com%2Fd365community%2Fforum%2F22920db1-ad25-ec11-b6e6-000d3a4f0789%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3E%3CEM%3EAzure%20Feedback%20Forum%26lt%3B%5C%2FEM%26gt%3B%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%26lt%3B%5C%2FUL%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-TEASER%20id%3D%22%5C%26quot%3Blingo-teaser-2464390%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3E%3CSPAN%3EHigher%20security%20with%20phish%20resistant%20certificate-based%20authentication.%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-teaser%26gt%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3C%2FEM%3E%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FEM%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2464390%22%20slang%3D%22en-US%22%3EAzure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2464390%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EToday%20I'm%20very%20excited%20to%20announce%20the%20public%20preview%20of%20Azure%20Active%20Directory%20certificate-based%20authentication%20(%3CSTRONG%3EAzure%20AD%20CBA%3C%2FSTRONG%3E)%20across%20our%20commercial%20and%20US%20Government%20clouds!%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EIn%20May%20of%202021%2C%20the%20President%20issued%20%3CA%20href%3D%22https%3A%2F%2Fwww.whitehouse.gov%2Fbriefing-room%2Fpresidential-actions%2F2021%2F05%2F12%2Fexecutive-order-on-improving-the-nations-cybersecurity%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EExecutive%20Order%2014028%2C%20%3CEM%3EImproving%20the%20Nation%E2%80%99s%20Cybersecurity%3C%2FEM%3E%3C%2FA%3E%20calling%20for%20the%20Federal%20Government%20to%20modernize%20and%20adopt%20a%20Zero%20Trust%20architecture%20including%20phish%20resistant%20multi-factor%20authentication%20(MFA)%20for%20employees%2C%20business%20partners%2C%20and%20vendors.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%20style%3D%22%20text-align%3A%20center%3B%20%22%3E%3CEM%3E%E2%80%9CIncremental%20improvements%20will%20not%20give%20us%20the%20security%20we%20need%3B%20instead%2C%20the%20Federal%20Government%20needs%20to%20make%20bold%20changes%20and%20significant%20investments%20in%20order%20to%20defend%20the%20vital%20institutions%20that%20underpin%20the%20American%20way%20of%20life.%E2%80%9D%20%3CBR%20%2F%3E%3C%2FEM%3E%E2%80%93%20President%20Biden%2C%20Executive%20Order%2014028%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EBased%20on%20our%20experience%20working%20with%20Government%20customers%2C%20PIV%2FCAC%20cards%20are%20the%20most%20common%20authentication%20method%20used%20within%20the%20Federal%20Government.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EWhile%20valuable%20for%20all%20customers%2C%20the%20ability%20to%20%3CSTRONG%3Euse%20X.509%20certificate%20for%20authentication%20directly%20against%20Azure%20AD%3C%2FSTRONG%3E%20is%20particularly%20critical%20for%20Federal%20Government%20organizations%20using%20%3CSTRONG%3EPIV%2FCAC%20cards%3C%2FSTRONG%3E%20and%20looking%20to%20easily%20comply%20with%20the%20Executive%20Order%2014028%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EVimala%20Ranganathan%2C%20Product%20Manager%20on%20our%20Identity%20Security%20team%2C%20will%20walk%20you%20through%20the%20details.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBest%20Regards%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAlex%20Simons%20(Twitter%3A%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Falex_a_simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%3E%40Alex_A_Simons%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E)%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECorporate%20Vice%20President%20Program%20Management%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3EMicrosoft%20Identity%20Division%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E----------------------------------------------------------------------------------------------------------%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20everyone%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20Vimala%20from%20the%20Identity%20PM%20team%20and%20I%20am%20excited%20to%20walk%20you%20through%20Azure%20AD%20CBA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20part%20of%20our%20commitment%20to%20the%20US%20Cybersecurity%20Executive%20Order%2C%20Azure%20AD%20CBA%20helps%20Government%20customers%20easily%20meet%20phishing-resistant%20MFA%20authentication%20using%20the%20PIV%2FCAC%20cards.%20Azure%20AD%20users%20can%20authenticate%20using%26nbsp%3BX.509%20certificates%20on%20their%20smartcards%20or%20devices%20%3CEM%3Edirectly%20against%20Azure%20AD%20%3C%2FEM%3Efor%20browser%20and%20application%20sign-in.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EKey%20benefits%20include%3A%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EHigher%20security%20with%20phish%20resistant%20certificate-based%20authentication%20(the%20majority%20of%20the%20identity%20attacks%20are%20related%20to%20passwords)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEasily%20meet%20the%20Executive%20Order%2014028%20requirements%20for%20phish%20resistant%20MFA%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EEliminate%20costs%20and%20risks%20associated%20with%20on-premises%20federation%20infrastructure%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESimplified%20management%20experience%20in%20Azure%20AD%20with%20granular%20controls%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3ESAP%20has%20been%20a%20great%20partner%20on%20the%20Azure%20AD%20CBA%20journey%20and%20provided%20feedback%20that%20was%20critical%20to%20shaping%20the%20public%20preview%20today!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22%20text-align%3A%20center%3B%20%22%3E%3CSPAN%3E%3CEM%3E%E2%80%9CCBA%20is%20historical%20in%20the%20heart%20of%20SAP%20Products.%20Certificate%20Based%20Auth%20is%20in%20use%20at%20SAP%20since%201999%20and%20has%20been%20migrated%20and%20adopted%20multiple%20times%2C%20having%20these%20capabilities%20natively%20in%20Azure%20AD%20also%20allows%20us%20in%20the%20long%20run%20to%20retire%20our%20ADFS%20where%20Azure%20AD%20is%20the%20last%20Federation%20endpoint%20we%20still%20have.%E2%80%9D%20%3C%2FEM%3E%3C%2FSPAN%3E%3CSPAN%3E-%20Sven%20Frank%2C%20identity%20architect%20at%20SAP%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EWhat%20is%20Azure%20AD%20Certificate-Based%20Authentication%20(Azure%20AD%20CBA)%3F%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20might%20be%20aware%2C%20authentication%20using%26nbsp%3BX.509%20certificates%20against%20Azure%20AD%20used%20to%20require%20a%20federated%20identity%20provider%20(IdP)%20such%20as%20AD%20FS.%20With%20the%20Azure%20AD%20CBA%20Public%20Preview%20today%2C%20customers%20will%20be%20able%20to%20authenticate%20directly%20against%20Azure%20AD%20without%20the%20need%20for%20a%20federated%20IdP.%20%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Figure%201%3A%20Simplified%20Architecture%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347401i803D7872E82BE268%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Simplified%20Architecture.png%22%20alt%3D%22Figure%201%3A%20Simplified%20Architecture%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201%3A%20Simplified%20Architecture%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3ECertificate-based%20authentication%20method%20management%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20picture%20below%20shows%20the%20steps%20for%20an%20admin%20to%20enable%20CBA.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Method%20management.png%22%20style%3D%22width%3A%20569px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347353i357AAEA380222C1E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Method%20management.png%22%20alt%3D%22Method%20management.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECheck%20out%20our%20public%20documentation%20to%20learn%20more%3A%20%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2FAADCBA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2FAADCBA%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EEnd-User%20Experience%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20an%20end-user%2C%20once%20you%20type%20in%20the%20User%20Principal%20Name%20(UPN)%2C%20you%20will%20see%20the%20%E2%80%9CSign%20in%20with%20a%20certificate%E2%80%9D%20link%20on%20the%20password%20screen.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorsmoorhead_4%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Figure%202%3A%20Sign%20in%20with%20a%20certificate%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347343i05F84138B1F5443C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22smoorhead_3-1644592456401.png%22%20alt%3D%22Figure%202%3A%20Sign%20in%20with%20a%20certificate%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202%3A%20Sign%20in%20with%20a%20certificate%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20be%20prompted%20to%20select%20the%20correct%20client%20certificate%20and%20that%E2%80%99s%20it%20%E2%80%93%20you%20will%20get%20authenticated%20to%20the%20application.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%3A%20If%20CBA%20is%20enabled%20on%20the%20tenant%2C%20all%20users%20in%20the%20tenant%20will%20see%20the%20link%20to%26nbsp%3B%E2%80%98Sign%20in%20with%20a%20certificate%E2%80%99%26nbsp%3Bon%20the%20sign-in%20page.%20However%2C%20only%20the%20users%20in%20scope%20for%20CBA%20will%20be%20able%20to%20authenticate%20successfully%20against%20Azure%20AD%20and%20the%20rest%20will%20see%20a%20failure.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EWhat%E2%80%99s%20next%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe're%20working%20on%20more%20great%20features%20like%20Windows%20smart%20card%20logon%2C%20CBA%20as%20a%20second%20factor%20of%20authentication%2C%20removal%20of%20limits%20on%20trusted%20issuer%20list%2C%20and%20Certificate%20Revocation%20List%20(CRL).%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20always%2C%20please%20keep%20the%20feedback%20loop%20open%20by%20reaching%20us%20at%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fd365community%2Fforum%2F22920db1-ad25-ec11-b6e6-000d3a4f0789%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure%20Active%20Directory%20Community%3C%2FA%3E%3CSPAN%3E!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20learn%20more%20about%20Microsoft%E2%80%99s%20commitment%20to%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Ffederal%2FCyberEO.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3EExecutive%20Order%2014028%20here%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EVimala%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3ERelated%20Articles%3A%26nbsp%3B%3C%2FEM%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2FAADCBA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2FAADCBA%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EReturn%20to%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3E%3CEM%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EJoin%20the%20conversation%20on%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ETwitter%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20and%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ELinkedIn%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EShare%20product%20suggestions%20on%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fd365community%2Fforum%2F22920db1-ad25-ec11-b6e6-000d3a4f0789%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3EAzure%20Feedback%20Forum%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2464390%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHigher%20security%20with%20phish%20resistant%20certificate-based%20authentication.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CBA%20Teaser.png%22%20style%3D%22width%3A%20397px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347411i2472FA56445433C6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22CBA%20Teaser.png%22%20alt%3D%22CBA%20Teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3175691%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3175691%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20great%20news%20for%20our%20org%20as%20we%20need%20to%20stick%20with%20CBA%20but%20have%20challenges%20managing%20an%20ADFS%20%2B%20proxies%20infra.%20If%20we%20currently%20have%20a%20domain%20setup%20with%20ADFS%2C%20is%20there%20any%20way%20to%20granulalry%20switch%20users%20to%20cloud-based%20CBA%3F%20something%20like%20staged%20rollout%20for%20CBA%20maybe%3F%20Thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3176721%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3176721%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECould%20we%20make%20this%20even%20more%20secure%20and%20base%20it%20on%20more%20modern%20concepts%20than%20a%20golden%20ticket%20or%20certificate%3B%20especially%20if%20you%E2%80%99re%20not%20using%20your%20ace%3A%20the%20'pluton'%20chip.%20Even%20though%20we%20do%20have%20your%20full%20Conditional%20Access%20concepts%20including%20your%20MFA%20factores%20we%20together%20can%20do%20better%2C%20though%20we%20and%20our%20customers%2Fclients%20are%20tenants%20in%20the%20clouds%20and%20just%20love%20to%20be%20even%20more%20secure%3B%20we%20own%20our%20data%20and%20are%20responsible%20if%20it's%20being%20misused.%20I'll%20send%20your%20team%20some%20suggestions%20regarding%20some%20work%20I%20have%20done%20for%20some%20clients%3B%20making%20it%20easier%20for%20governments%20and%20public%20sector%20to%20stay%20in%20the%20future%20secure.%20Love%20if%20we%20could%20also%20deliver%20some%20improvements%20the%20other%20way%2C%20not%20only%20up%20but%20also%20down..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EMrSmith%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%3A%3C%2FP%3E%3CP%3EJust%20a%20small%20sweet%20(external)%20identities%20dream%20to%20open%20up%2C%20not%20the%20security%2C%20but%20to%20allow%20even%20more%20secure%20concepts%20in%20the%20main%20tenant%20(B2B)%3B%20at%20least%20for%20the%20customer%20owned%20applications%2C%20the%20E(nterprise)App's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3180831%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3180831%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20seems%20to%20be%20two%20limitations%20that%20prevent%20CBA%20use%20by%20DoD.%201)%20DoD%20PIV%20certs%20include%20a%20SAN%20with%20a%20format%20of%2016-digit%40mil%20so%20CBA%20seems%20to%20require%20an%20email%20address%20associated%20with%20the%20tenant%20domain%20name.%202)%20DoD%20CRL%20are%20large%20and%20getting%20larger.%20Currently%2C%20there%20are%202%20DoD%20CRL's%20that%20are%2075K%20and%2055K.%20Anyway%2C%20around%20these%20issues%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3192003%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3192003%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20folks%2C%20here%20are%20some%20answers%20to%20your%20questions.%20Let%20me%20know%20if%20there%20are%20more%20questions.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1309464%22%20target%3D%22_blank%22%3E%40M-F-L%3C%2FA%3E%26nbsp%3BYes%20you%20can%20use%20staged%20rollout%20for%20CBA%20as%20well.%20Today%20you%20would%20have%20to%20enable%20PHS%20or%20PTA%20in%20order%20to%20activate%20staged%20rollout.%20But%20we%20are%20working%20on%20a%20CBA%20only%20way%20for%20staged%20rollout%20too%20in%20case%20you%20cannot%20or%20don%C2%B4t%20want%20to%20enable%20PHS%20or%20PTA.%20For%20native%20CBA%2C%20it%20doesn%C2%B4t%20matter%20how%20you%20do%20staged%20rollout.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1310622%22%20target%3D%22_blank%22%3E%40EddieMIT%3C%2FA%3E%26nbsp%3BYes%20we%20are%20working%20on%20such%20scenario%20for%20a%20potential%20public%20preview%20refresh%20later%20this%20year.%20So%20stay%20tuned%20for%20amazing%20updates%20on%20cloud%20native%20CBA%20in%20the%20next%20months.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThx%20Peter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3203131%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3203131%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1309464%22%20target%3D%22_blank%22%3E%40M-F-L%3C%2FA%3E%26nbsp%3BYou%20can%20the%20staged%20migration%20is%20completly%20working%20we%20actually%20made%20an%20access%20package%20out%20of%20it%20and%20people%20can%20move%20between%20%22old%20world%20%2F%20new%20world%22%20back%20and%20forth%20at%20least%20for%20the%20early%20adaptors.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3210181%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3210181%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can't%20wait%20to%20see%20CBA%20as%20a%20second%20factor%20of%20authentication%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3257106%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3257106%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this%20very%20timely%20enablement%20of%20service.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20shed%20some%20light%20of%20the%20effect%20if%20AzureAD%20CBA%20turned%20for%20the%20environment%20which%20is%20currently%20setup%20of%20Windows%2010%2021H2%20with%20AzureAD%20Registered%2C%20Seamless%20SSO%20%2B%20PTA%20and%20PHS.%20Does%20any%20change%20require%20to%20this%20setup%20to%20facilitate%20AzureAD%20CBA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20AzureAD%20CBA%20required%20Hybrid%20AzureAD%20joining%2C%20given%20that%20organization%20has%20onpremAD%20as%20well%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3257178%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3257178%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1127449%22%20target%3D%22_blank%22%3E%40Zoola1540%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20your%20setup%20you%2C%20are%20already%20on%20managed%20authentication%20and%20not%20using%20federated%20auth%20which%20is%20great!%20You%20can%20add%20Azure%20AD%20CBA%20to%20your%20setup%20and%20it%20will%20provide%20your%20users%20additionally%20the%20ability%20to%20use%20a%20smartcard%20or%20certificate%20to%20authenticate%20against%20Azure%20AD.%20You%20can%20add%20Azure%20AD%20CBA%20without%20changing%20the%20current%20setup.%20And%20you%20don%C2%B4t%20need%20hybrid%20Azure%20AD%20joined%20devices.%20It%20will%20work%20just%20fine%20in%20Azure%20AD%20joined%20machines.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPeter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3260265%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3260265%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20I%20have%26nbsp%3B%202%20certificates%20in%20my%20Personal-store%20on%20Windows%2010%20box%26nbsp%3B%20and%20I%20have%20also%20inserted%20CAC-card%20in%20the%20device%2C%26nbsp%3B%20will%20I%20be%20shown%20all%203%20certs%20to%20pick%20from%20while%20authenticating%20with%20Azure-AD%26nbsp%3B%20%3F%3C%2FP%3E%3CP%3EIf%20the%20CAC-card%20is%20asking%20PIN%2C%26nbsp%3B%20I%20believe%20it%20will%20be%20taken%20care%20off.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20I%20do%20this%20CBA%20work%20from%20any%20device%20i.e.%2C%20the%20device%20which%20is%26nbsp%3B%20NOT%26nbsp%3B%20%26nbsp%3BAADJ%2FHAADJ%20or%20even%20register%20with%20AAD%26nbsp%3B%20%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20the%20last%20point%20which%20may%20not%20be%20right%20for%20this%20thread%20but%20let%20me%20ask%20anyway.%3C%2FP%3E%3CP%3EIf%20I%20have%20logged%20into%20AVD%20(Azure%20Virtual%20Desktop)%26nbsp%3B%20Session-host%2C%26nbsp%3B%20%26nbsp%3Bcan%20I%20use%20the%20certificates%20of%20my%26nbsp%3BPersonal-store%20and%20the%20CAC-card%26nbsp%3B%20that%20is%20inserted%20on%20the%20physical%20laptop%20for%20accessing%20any%20app%20on%20the%20browser%20of%20AVD-session-host%20%3F%3F%3C%2FP%3E%3CP%3E(assuming%20I%20am%20using%20everything%20latest%20i.e.%2C%20windows%2011%2C%26nbsp%3B%20thick%20AVD-client)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3260295%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3260295%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F682533%22%20target%3D%22_blank%22%3E%40testuser7%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%20at%20this%20stage%20of%20the%20public%20preview%20we%20are%20sending%20issuer%20hints%20to%20the%20client.%20So%20you%20will%20see%20all%20certs%20in%20the%20picker%20which%20are%20available.%20But%20we%20are%20working%20on%20this%20functionality%20so%20that%20Azure%20AD%20will%20tell%20the%20client%20from%20which%20issuer%20(PKI)%20the%20cert%20is%20expected.%20Stay%20tuned%20for%20that.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20your%20second%20question%2C%20yes%20you%20can%20do%20CBA%20in%20the%20browser%20session%20also%20on%20non%20AADJ%2FHAADJ%20devices%2C%20the%20device%20join%20is%20not%20required.%20In%20the%20future%20when%20we%20also%20want%20to%20support%20Windows%20login%20with%20a%20smartcard%2C%20the%20device%20would%20have%20to%20by%20AADJ%2FHAADJ%20in%20order%20to%20login%20the%20user%20with%20the%20CAC-card.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20last%20question%2C%20I%20cannot%20answer%20unfortunately.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheers%20Peter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3260950%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3260950%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280835%22%20target%3D%22_blank%22%3E%40Plenzke%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20helps.%26nbsp%3B%20%26nbsp%3B%20If%26nbsp%3B%3CSPAN%3E%26nbsp%3BAzure%20AD%20can%20tell%20the%20client%20from%20which%20issuer%20(PKI)%20the%20cert%20is%20expected%2C%20it%20could%20make%20end-user's%26nbsp%3B%20interaction%20more%20seamless.%26nbsp%3B%20May%20be%20there%20is%20only%20one%20cert%20fulfilling%26nbsp%3Bthe%20requirement.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3261343%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3261343%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280835%22%20target%3D%22_blank%22%3E%40Plenzke%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Equick%20question.%3C%2FP%3E%3CP%3EIn%20order%20for%20Certificate%20from%20CAC-card%20to%20pull%20up%20in%20the%20picker%2C%20do%20I%20need%20to%20install%20any%20driver%20etc.%26nbsp%3B%20on%20my%20laptop%20etc.%26nbsp%3B%20%26nbsp%3BOR%26nbsp%3B%20%26nbsp%3Beverything%20will%20work%20seamlessly%20as%20soon%20as%20I%20insert%20the%20card%20in%20the%20USB%20slot%20of%20the%20device.%3C%2FP%3E%3CP%3EI%20am%20using%20latest%20window%2010%20version%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3383847%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3383847%22%20slang%3D%22en-US%22%3E%3CP%3ERegarding%20%22%3CSPAN%3EWe're%20working%20on%26nbsp%3B...%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ECBA%20as%20a%20second%20factor%20of%20authentication%22%2C%20does%20that%20mean%20that%20currently%20users%20can't%20be%20required%20to%20use%20a%20password%20%3CEM%3E%3CSTRONG%3Eand%3C%2FSTRONG%3E%3C%2FEM%3E%20certificate%20to%20authenticate%3F%20Thanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3385076%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3385076%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1391919%22%20target%3D%22_blank%22%3E%40kodbuse%3C%2FA%3E%26nbsp%3BYes%20that%20is%20correct.%20Today%20Azure%20AD%20native%20CBA%20can%20only%20be%20used%20in%20primary%20authentication%20not%20as%20a%20step%20up%20second%20factor.%20This%20will%20come%20at%20a%20later%20stage.%20So%20you%20can%20replace%20password%20authN%20with%20CBA%20today%20but%20not%20use%20it%20as%20pure%202nd%20factor%20MFA%20credential.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20using%20CBA%20as%20primary%20auth%20credential%2C%20you%20can%20configure%20if%20Azure%20AD%20should%20treat%20CBA%20as%20a%20strong%20auth%20credential%20or%20single%20factor%20credential.%20Using%20it%20as%20strong%20auth%20will%20satisfy%20MFA%20controls%20in%20conditional%20access.%20Using%20it%20as%20single%20factor%20would%20treat%20it%20the%20same%20like%20a%20password%20authentication%20and%20CA%20can%20enforce%20MFA%20afterwards.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPeter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3393275%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3393275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280835%22%20target%3D%22_blank%22%3E%40Plenzke%3C%2FA%3E%26nbsp%3B%2C%20thank%20you%20for%20this%20feature.%20We%20have%20been%20looking%20forward%20to%20this%20for%20quite%20some%20time.%20In%20our%20testing%2C%20we%20have%20ran%20into%20an%20issue.%26nbsp%3BMost%20of%20our%20systems%20are%20HAADJ%2C%20which%20means%20when%20a%20user%20launches%20M365%20applications%20via%20a%20browser%2C%20AAD%20sees%20that%20they%20are%20are%20already%20logged%20into%20Windows%20and%20does%20not%20prompt%20for%20a%20password.%20Instead%2C%20it%20satisfies%20the%20single%20factor%20authentication%20and%20goes%20straight%20to%20MFA.%20Our%20use%20case%20is%20that%20we%20want%20specific%20users%20to%20be%20able%20to%20use%20CBA%20for%20both%20single%2B2nd%20factor%20MFA.%20That%20works%20great%20when%20you%20launch%20the%20browser%20in%20InPrivate%20mode%2C%20but%20that's%20not%20a%20feasible%20option.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2%20questions...%3C%2FP%3E%3CP%3E1.%20Is%20there%20a%20way%20that%20we%20can%20allow%20users%20to%20utilize%20CBA%20on%20our%20HAADJ%20systems%20easily%3F%20Is%20there%20a%20way%20to%20have%20the%20browser%20not%20automatically%20login%20the%20single%20factor%20auth%20from%20the%20logged%20in%20user%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20When%20will%20CBA%20be%20available%20for%20a%202nd%20factor%20auth%20method%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3393726%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Certificate-Based%20Authentication%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3393726%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1266902%22%20target%3D%22_blank%22%3E%40Kashed120%3C%2FA%3E%26nbsp%3BWe%C2%B4re%20glad%20that%20CBA%20is%20valuable%20for%20you%20and%20you%20can%20use%20it%20to%20get%20into%20a%20pwdless%20%2F%20phish%20resistant%20world.%20For%20the%20Windows%20scenario%2C%20the%20browser%20will%20always%20add%20the%20PRT%20(primary%20refresh%20token)%20to%20the%20auth%20request%20to%20provide%20SSO%20to%20Azure%20AD%20apps.%20that%C2%B4s%20why%20your%20users%20wouldn%C2%B4t%20be%20able%20to%20easily%20use%20CBA%20for%20initial%20auth.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20also%20working%20on%20a%20scenario%20where%20your%20users%20can%20login%20to%20Windows%20with%20their%20smartcard%20and%20then%20the%20PRT%20sso%20would%20be%20sourced%20from%20that%20CBA%20%2F%20smartcard%20login%20to%20the%20Windows%20machine.%20And%20if%20you%20have%20configured%20the%20CBA%20to%20be%20strong%20auth%2C%20it%20would%20satisfy%20MFA%20enforcements%20in%20CA%20already.%20Very%20much%20like%20a%20WHFB%20login.%20This%20feature%20will%20come%20also%20later%20this%20year.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20the%20question%20on%20the%20timeline%20for%20CBA%20second%20factor%2C%20I%20cannot%20be%20too%20specific%20at%20this%20point%20as%20things%20are%20in%20flux%20but%20you%20can%20expect%20summer%20time%20frame%20this%20year%20for%20a%20preview%20refresh.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheers%20Peter%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Feb 11 2022 01:59 PM
Updated by: