Blog Post

Microsoft Entra Blog

3 MIN READ

Azure AD Certificate-Based Authentication now in Public Preview

Alex Simons (AZURE)

Microsoft

Feb 14, 2022

Howdy folks,

Today I'm very excited to announce the public preview of Azure Active Directory certificate-based authentication (Azure AD CBA) across our commercial and US Government clouds!

In May of 2021, the President issued Executive Order 14028, Improving the Nation’s Cybersecurity calling for the Federal Government to modernize and adopt a Zero Trust architecture including phish resistant multi-factor authentication (MFA) for employees, business partners, and vendors.

“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
– President Biden, Executive Order 14028

Based on our experience working with Government customers, PIV/CAC cards are the most common authentication method used within the Federal Government.

While valuable for all customers, the ability to use X.509 certificate for authentication directly against Azure AD is particularly critical for Federal Government organizations using PIV/CAC cards and looking to easily comply with the Executive Order 14028 requirements.

Vimala Ranganathan, Product Manager on our Identity Security team, will walk you through the details.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Corporate Vice President Program Management
Microsoft Identity Division

----------------------------------------------------------------------------------------------------------

Hi everyone,

I’m Vimala from the Identity PM team and I am excited to walk you through Azure AD CBA.

As part of our commitment to the US Cybersecurity Executive Order, Azure AD CBA helps Government customers easily meet phishing-resistant MFA authentication using the PIV/CAC cards. Azure AD users can authenticate using X.509 certificates on their smartcards or devices directly against Azure AD for browser and application sign-in.

Key benefits include:

Higher security with phish resistant certificate-based authentication (the majority of the identity attacks are related to passwords)
Easily meet the Executive Order 14028 requirements for phish resistant MFA
Eliminate costs and risks associated with on-premises federation infrastructure
Simplified management experience in Azure AD with granular controls

SAP has been a great partner on the Azure AD CBA journey and provided feedback that was critical to shaping the public preview today!

“CBA is historical in the heart of SAP Products. Certificate Based Auth is in use at SAP since 1999 and has been migrated and adopted multiple times, having these capabilities natively in Azure AD also allows us in the long run to retire our ADFS where Azure AD is the last Federation endpoint we still have.” - Sven Frank, identity architect at SAP

What is Azure AD Certificate-Based Authentication (Azure AD CBA)?

As you might be aware, authentication using X.509 certificates against Azure AD used to require a federated identity provider (IdP) such as AD FS. With the Azure AD CBA Public Preview today, customers will be able to authenticate directly against Azure AD without the need for a federated IdP.

Figure 1: Simplified Architecture

Certificate-based authentication method management

The picture below shows the steps for an admin to enable CBA.

Check out our public documentation to learn more: http://aka.ms/AADCBA

End-User Experience

As an end-user, once you type in the User Principal Name (UPN), you will see the “Sign in with a certificate” link on the password screen.

Figure 2: Sign in with a certificate

You will be prompted to select the correct client certificate and that’s it – you will get authenticated to the application.

Note: If CBA is enabled on the tenant, all users in the tenant will see the link to ‘Sign in with a certificate’ on the sign-in page. However, only the users in scope for CBA will be able to authenticate successfully against Azure AD and the rest will see a failure.

What’s next

We're working on more great features like Windows smart card logon, CBA as a second factor of authentication, removal of limits on trusted issuer list, and Certificate Revocation List (CRL).

As always, please keep the feedback loop open by reaching us at Azure Active Directory Community!

You can learn more about Microsoft’s commitment to Executive Order 14028 here.

Thanks,

Vimala

Learn more about Microsoft identity:

Related Articles: http://aka.ms/AADCBA
Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn
Share product suggestions on the Azure Feedback Forum

Updated Feb 11, 2022

Version 1.0

Alex Simons (AZURE)

Microsoft

Joined May 01, 2017

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

29 Comments

RGordon00
Copper Contributor
Feb 15, 2024
Has anyone tried to utilize PIV authentication for Azure Stack HCI which requires Azure AD as part of its initialization ?
MaYnMaN
Copper Contributor
Nov 08, 2022
Vimala_Ranganathan - Looks like it's about 48 MBs currently.
Vimala_Ranganathan
Microsoft
Nov 08, 2022
plsfix what is the size of your CRL and is your tenant in Gov clouds?

CRL failures can happen due to size limit of due to timeout (not being able to download in the timeout limit).

We have increased the CRL limits to a higher value, much higher in Gov clouds and would love to know if your size is more than the defaults we have.

Azure AD certificate-based authentication (CBA) FAQ - Azure Active Directory - Microsoft Entra | Microsoft Learn
MaYnMaN
Copper Contributor
Nov 08, 2022
plsfix - Out of curiosity, have you been able to get the CRL Endpoints to work with your implementation? I've never been able to get that portion to work and assume it's due to the CRL size limitation currently in place.
MaYnMaN
Copper Contributor
Nov 08, 2022
Oh, that's perfect! I appreciate the detailed follow up, plsfix. That's super helpful. I'm going to test it out in my environment. Thank again!

plsfix

Brass Contributor

Nov 08, 2022

MaYnMaN, I had to use PowerShell to set the CertificateUserIds value in the GCC-High environment I tested with last weekend.

It really was as simple as 1. Configuring the Root and Intermediate CAs and 2. Setting the CertificateUserIds. Here's the PowerShell to retrieve and set the value for one user.

Connect-MgGraph -Environment usgov -Scopes "User.ReadWrite.All"

$upnuser = "email address removed for privacy reasons"
$upncert = "1234567890123456@mil"


## Retrieve Authorization Info
$user = Get-MgUser -UserId $upnuser -Property Id,DisplayName,UserPrincipalName,UserType,AuthorizationInfo
$user | select Id,DisplayName,UserPrincipalName,UserType,@{n="CertificateUserIds";e={$_.AuthorizationInfo.CertificateUserIds}} | ft -AutoSize


## Set Authorization Info
$contenttype = "application/json; charset=utf-8"
$body = @{
    authorizationInfo = @{
        certificateUserIds = @("X509:<PN>{0}" -f $upncert)
    }
} | ConvertTo-Json
$uri = "https://graph.microsoft.us/v1.0/users/{0}" -f $upnuser

Invoke-MgGraphRequest -Method PATCH -Uri $uri -ContentType $contenttype -Body $body

MaYnMaN
Copper Contributor
Nov 08, 2022
Thank you plsfix! I see the option in Commercial but doesn't look like it's made its way over the Azure Gov yet. Hopefully soon. 🙂
plsfix
Brass Contributor
Nov 08, 2022
MaYnMaN You can! In case the UPN or RFC822 (email) attribute on the certificate doesn't match the users' attributes, you can map the certificate properties to the CertificateUserIds values for your users.

This doc provides the supported patterns for the CertificateUserIds values.
Certificate user IDs for Azure AD certificate-based authentication - Azure Active Directory - Microsoft Entra | Microsoft Learn
MaYnMaN
Copper Contributor
Sep 12, 2022
Hello CBA Team,

This may be a silly question, but can CBA be used in a scenario where the user only resides in AAD? As in, there is no on prem Active Directory configured (w/ AAD Connect) and I create a user in AAD via the portal and want to have them login via SmartCard?

Thanks!
Vimala_Ranganathan
Microsoft
Aug 02, 2022
Hi @gholt_aveva

Current CBA capabilities does not work with headless applications. Would you please send your scenario and any other details to cloudcbafeedback@microsoft.com and we will look into the possibility into future capabilities?

Thanks

Vimala

Connect-MgGraph -Environment usgov -Scopes \"User.ReadWrite.All\"\n\n$upnuser = \"email address removed for privacy reasons\"\n$upncert = \"1234567890123456@mil\"\n\n\n## Retrieve Authorization Info\n$user = Get-MgUser -UserId $upnuser -Property Id,DisplayName,UserPrincipalName,UserType,AuthorizationInfo\n$user | select Id,DisplayName,UserPrincipalName,UserType,@{n=\"CertificateUserIds\";e={$_.AuthorizationInfo.CertificateUserIds}} | ft -AutoSize\n\n\n## Set Authorization Info\n$contenttype = \"application/json; charset=utf-8\"\n$body = @{\n authorizationInfo = @{\n certificateUserIds = @(\"X509:<PN>{0}\" -f $upncert)\n }\n} | ConvertTo-Json\n$uri = \"https://graph.microsoft.us/v1.0/users/{0}\" -f $upnuser\n\nInvoke-MgGraphRequest -Method PATCH -Uri $uri -ContentType $contenttype -Body $body