Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Microsoft Entra certificate-based authentication enhancements
Published Jul 03 2024 09:00 AM 8,034 Views

Howdy, folks! Today I'm excited to share the latest enhancements for Microsoft Entra certificate-based authentication (CBA). CBA is a phishing-resistant, password less, and convenient way to authenticate users with X.509 certificates, such as PIV/CAC cards, without relying on on-premises federation infrastructure, such as Active Directory Federated Service (AD FS). CBA is particularly critical for federal government organizations that are already using PIV/CAC cards and are looking to comply with Executive Order 14028, which requires phishing-resistant authentication. 


Today we're announcing the general availability of many improvements we introduced earlier this year – username bindings, affinity bindings, policy rules, and advanced CBA options in Conditional Access are all GA! I am also excited to announce the public preview of an exciting new capability - issuer hints. The issuer hints feature greatly improves user experience by helping users to easily identify the right certificate for authentication.


Vimala Ranganathan, Principal Product Manager on Microsoft Entra, will now walk you through these new features that will help you in your journey toward phishing-resistant multifactor authentication (MFA).    


Thanks, and please let us know your thoughts!    

Alex Weinert   




Hello everyone, 


I’m Vimala from the Microsoft Entra PM team, and I’m excited to walk you through the new issuer hints feature, as well as the features that will go into general availability.   


The issuer hints feature improves user experience by helping users to easily identify the right certificate for authentication. When enabled by tenant admin, Entra will send back Trusted CA Indication as part of the TLS handshake. The trusted Certificate Authority (CA) list will be set to subject of the Certificate Authorities (CAs) uploaded by the tenant in the Entra trust store. The client or native application client will use the hints sent back by server to filter the certificates shown in certificate picker and will show only the client authentication certificates issued by the CAs in the trust store. 


Figure 1: Enhanced certificate Picker with issuer hints enabledFigure 1: Enhanced certificate Picker with issuer hints enabled


We’re also thrilled to announce the features below are going to be in general availability. You can read more about each of the features in detail in our public preview blog: Enhancements to Microsoft Entra certificate-based authentication - Microsoft Community Hub.


CBA username bindings, which CBA added support for three remaining username bindings and is now at parity with on-premises Active Directory. The three bindings that are being added are: IssuerAndSerialNumber, IssuerAndSubject, and Subject. More at Configure Username binding policy.   


CBA Affinity Binding allows admins to set affinity binding at the tenant level, as well as create custom rules to use high affinity or low affinity mapping for covering many potential scenarios our customers have in use today. More at CBA Affinity Bindings.    


CBA Authentication policy rules help determine the strength of authentication as either single-factor or multifactor. Multiple custom authentication binding rules can be created to assign default protection level for certificates based on the certificate attributes (Issuer or Policy Object Identifiers (OID) or by combining the Issuer and OID). More at Configure authentication binding policy.    


Advanced CBA options in Conditional Access allow access to specific resources based on the certificate Issuer or Policy OIDs properties. More at authentication strength advanced options.   


You can learn more about Microsoft Entra CBA here and Microsoft’s commitment to Executive Order 14028.    


What’s next     


Over the last year, we’ve seen many federal and regulated industry customers migrate off AD FS to Microsoft Entra ID seamlessly by leveraging staged migration and providing end users a familiar sign-in experience with CBA. In fact, in the last 12 months, we’ve seen an over 1400% increase in phishing-resistant authentication for United States government customers. 


Keep your feedback coming at Microsoft Entra Community! We’re working diligently to bring more enhancements like the removal of limits on Certificate Revocation List (CRL), new certificate authority trust store, CBA support on the resource tenant for B2B external guest users, and iOS UX enhancements, to name just a few! 


Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Version history
Last update:
‎Jul 09 2024 12:30 PM
Updated by: