“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” – President Biden, Executive Order 14028
Based on our experience working with Government customers, PIV/CAC cards are the most common authentication method used within the Federal Government.
While valuable for all customers, the ability to use X.509 certificate for authentication directly against Azure AD is particularly critical for Federal Government organizations using PIV/CAC cards and looking to easily comply with the Executive Order 14028 requirements.
Vimala Ranganathan, Product Manager on our Identity Security team, will walk you through the details.
I’m Vimala from the Identity PM team and I am excited to walk you through Azure AD CBA.
As part of our commitment to the US Cybersecurity Executive Order, Azure AD CBA helps Government customers easily meet phishing-resistant MFA authentication using the PIV/CAC cards. Azure AD users can authenticate using X.509 certificates on their smartcards or devices directly against Azure AD for browser and application sign-in.
Key benefits include:
Higher security with phish resistant certificate-based authentication (the majority of the identity attacks are related to passwords)
Easily meet the Executive Order 14028 requirements for phish resistant MFA
Eliminate costs and risks associated with on-premises federation infrastructure
Simplified management experience in Azure AD with granular controls
SAP has been a great partner on the Azure AD CBA journey and provided feedback that was critical to shaping the public preview today!
“CBA is historical in the heart of SAP Products. Certificate Based Auth is in use at SAP since 1999 and has been migrated and adopted multiple times, having these capabilities natively in Azure AD also allows us in the long run to retire our ADFS where Azure AD is the last Federation endpoint we still have.” - Sven Frank, identity architect at SAP
What is Azure AD Certificate-Based Authentication (Azure AD CBA)?
As you might be aware, authentication using X.509 certificates against Azure AD used to require a federated identity provider (IdP) such as AD FS. With the Azure AD CBA Public Preview today, customers will be able to authenticate directly against Azure AD without the need for a federated IdP.
As an end-user, once you type in the User Principal Name (UPN), you will see the “Sign in with a certificate” link on the password screen.
Figure 2: Sign in with a certificate
You will be prompted to select the correct client certificate and that’s it – you will get authenticated to the application.
Note: If CBA is enabled on the tenant, all users in the tenant will see the link to ‘Sign in with a certificate’ on the sign-in page. However, only the users in scope for CBA will be able to authenticate successfully against Azure AD and the rest will see a failure.
We're working on more great features like Windows smart card logon, CBA as a second factor of authentication, removal of limits on trusted issuer list, and Certificate Revocation List (CRL).