Check out new Azure AD Certificate-Based Authentication (CBA) enhancements
Published Jul 26 2022 07:00 PM 19.9K Views
Microsoft

In February 2022, we made an announcement of the public preview of Azure AD Certificate-Based Authentication as a part of Microsoft’s commitment toExecutive Order 14028, Improving the Nation’s Cybersecurity.   

 

The public preview process gives us the opportunity to get great feedback from folks who weren’t in the private preview. In this case, we got some great feedback and have added several important features to our existing public preview. Here are some great customer-feedback driven enhancements to Azure AD Certificate Based Authentication (CBA): 

 

  • Azure AD CBA support for Windows logon and Single Sign-On (SSO) to Azure AD applications and resources  
  • Azure AD CBA support for mobile platforms (iOS, Android) for accessing Microsoft’s applications on managed and unmanaged devices  
  • Improved administration capabilities for managing Trusted Certificate Authorities configuration in Azure AD  
  • Staged rollout support for CBA for easy and controlled migration from Active Directory Federated Server  

 

Vimala Ranganathan, Senior Product Manager on our Identity team, will walk you through the details.  
 

Thanks,   

Alex Weinert, Director of Identity Security, Microsoft   

(Twitter: @Alex_t_weinert)   

-----------------------------------------------------------

 

Hi everyone,  

   

I am Vimala from the Identity PM team, and I am excited to walk you through all the new features we’ve added to the existing public preview of Azure AD (CBA).  

   

Windows logon support  

Azure AD users on Windows 11 (22H2) can now authenticate using X.509 certificates on their smartcards directly against Azure AD at Windows logon. On Azure AD join devices and Hybrid Azure AD join devices, once the user logs into Windows with a certificate, they will get the added benefit of SSO to all applications integrated with Azure AD.  

 

sdriggers_0-1658354974446.png

 

In the future, we will also support this feature in Windows 10 and Windows Server. 

 

Mobile devices (Android and iOS) support  

Now you can use Azure AD CBA to authenticate against Azure AD using certificates provisioned on user’s device on iOS and Android devices. Both native browsers and a list of Microsoft applications are supported. Enterprises can use Mobile Device Management (MDM) solutions like Microsoft Intune to provision the client certificates or derived personal identity verification (PIVs) onto the devices they manage.   

 

Here is the list of the supported Microsoft apps:  

 

Azure Information Protection app  

sdriggers_1-1658354974449.png

 

 

Intune Company Portal  

sdriggers_2-1658354974450.png

 

 

Microsoft Teams  

sdriggers_3-1658354974451.png

 

 

Office (mobile)  

sdriggers_4-1658354974452.png

 

 

OneNote  

sdriggers_5-1658354974452.png

 

 

OneDrive  

sdriggers_6-1658354974453.png

 

 

Outlook  

sdriggers_7-1658354974454.png

 

 

Power BI  

sdriggers_8-1658354974455.png

 

 

Skype for Business  

sdriggers_9-1658354974456.png

 

 

Word / Excel / PowerPoint                

sdriggers_10-1658354974457.png

 

 

Yammer  

sdriggers_11-1658354974458.png

 

 

 

Improved administrative experience  

Making it easier for you to set up and manage CBA configuration is a priority for us. Previously you had to use PowerShell commands to upload the certificate authorities to Azure AD, but now you can seamlessly use the Azure portal to configure certificate authorities.   

 

Using the Azure portal, you can now:   

 

  • Upload certificate authorities (root CA and all the intermediate CAs) to Azure AD  
  • View all the trusted certificate authorities uploaded to the Azure AD  
  • Delete the CAs if they’re not valid  
  • Easily see the validity of the certificate based on the certificate expiry date  

 

sdriggers_12-1658354974460.png

 

What’s next   

Keep your feedback coming at Azure Active Directory Community! We’re working diligently to bring more enhancements like CBA as a second factor of authentication, removal of limits on Certificate Revocation List (CRL), support for non-routable UPNs, and external smart cards support on mobile devices.  

   

You can learn more about Microsoft’s commitment to Executive Order 14028 here.    

   

Thanks,  

Vimala  

 

 

Learn more about Microsoft identity: 

15 Comments
Co-Authors
Version history
Last update:
‎Jul 21 2022 04:32 PM
Updated by: