Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

New Blog | Microsoft Entra certificate-based authentication enhancements


By Alex Weinert


Howdy, folks! Today I'm excited to share the latest enhancements for Microsoft Entra certificate-based authentication (CBA). CBA is a phishing-resistant, password less, and convenient way to authenticate users with X.509 certificates, such as PIV/CAC cards, without relying on on-premises federation infrastructure, such as Active Directory Federated Service (AD FS). CBA is particularly critical for federal government organizations that are already using PIV/CAC cards and are looking to comply with Executive Order 14028, which requires phishing-resistant authentication. 


Today we're announcing the general availability of many improvements we introduced earlier this year – username bindings, affinity bindings, policy rules, and advanced CBA options in Conditional Access are all GA! I am also excited to announce the public preview of an exciting new capability - issuer hints. The issuer hints feature greatly improves user experience by helping users to easily identify the right certificate for authentication.


Vimala Ranganathan, Principal Product Manager on Microsoft Entra, will now walk you through these new features that will help you in your journey toward phishing-resistant multifactor authentication (MFA).    


Thanks, and please let us know your thoughts!    

Alex Weinert   




Hello everyone, 


I’m Vimala from the Microsoft Entra PM team, and I’m excited to walk you through the new issuer hints feature, as well as the features that will go into general availability.   


The issuer hints feature improves user experience by helping users to easily identify the right certificate for authentication. When enabled by tenant admin, Entra will send back Trusted CA Indication as part of the TLS handshake. The trusted Certificate Authority (CA) list will be set to subject of the Certificate Authorities (CAs) uploaded by the tenant in the Entra trust store. The client or native application client will use the hints sent back by server to filter the certificates shown in certificate picker and will show only the client authentication certificates issued by the CAs in the trust store. 




Figure 1: Enhanced certificate Picker with issuer hints enabled


Read the full post here: Microsoft Entra certificate-based authentication enhancements

0 Replies