Enable Microsoft Entra ID - Certificate Based Authentication


Setup Instructions

The following guide describes how to set up Microsoft Entra ID Active Directory (EIAD) Certificate Based Authentication (CBA). See the following guide for a high-level overview of the AAD CBA solution.


Prerequisites

  • Office 365 or Microsoft Entra ID free tier or greater.
  • Be a member of the Global Administrator group and the Authentication Policy Administrator within the Azure tenant.
  • Have the smart card issuing Certificate Authority (CA) and any intermediate Certificate Authorities public certificates available.
  • Have access to a user certificate which has been issued from a trusted Public Key Infrastructure (PKI) configured on the tenant.
  • Have a Certificate Revocation List (CRL) accessible to Microsoft Entra ID over HTTP.

Steps

Upload the Certificate Authority public certificate chain

  1. Sign into the Microsoft Entra ID Portal as a Global Administrator
  2. Select Azure Active Directory -> Security from the menu on the left-side pane
  3. Select Certificate authorities from the left-side pane
  4. Select Upload
    Enable_Azure_AD_Certificate_Based_Authentication_1.png
  5. Locate and select the Certificate Authority file from your local device
  6. Select Yes if the CA is a root certificate, otherwise select No
  7. Similarly, upload additional certificates in the Certificate Authority certificate chain.
  8. Set the HTTP internet-facing URL for the Certification Authority's base CRL that contains all revoked certificates
  9. Optional: Set the Delta CRL URLEnable_Azure_AD_Certificate_Based_Authentication_2.png
  10. Click Add

Enable CBA as an Authentication Method

Entra ID CBA can be enabled as a method for all users or subsets of users in the tenant.

  1. Sign into the Azure Portal as an Authentication Policy Administrator.
  2. Select Azure Active Directory -> Security from the menu on the left-side pane
  3. Select Authentication methods on the left-side pane
  4. Select Policies on the left-side pane
  5. Select Certificate-based authentication from the list of shown methodsEnable_Azure_AD_Certificate_Based_Authentication_3.png
  6. Select Enable and Target
  7. Toggle the switch to Enable the method
  8. Select Include and select the users that will be allowed to use CBA as an authentication method
    Enable_Azure_AD_Certificate_Based_Authentication_4.png
  9. Optional: Select Exclude to list users that will not be allowed to use CBA as an authentication method
  10. Select Save

Configure Authentication Binding Policy

The Authentication Binding policy helps determine the strength of authentication to either a Single-factor or Multi-factor by assigning a protection-level. The default value is Single-factor and can be changed by an administrator. Microsoft Entra ID supports creating policies using the certificate issuer Subject or certificate OIDs for determination of the protection level. For simplicity this guide will only describe setting the default protection level.

  1. Sign into the Azure Portal as an Authentication Policy Administrator.
  2. Select Azure Active Directory -> Security from the menu on the left-side pane
  3. Select Authentication methods on the left-side pane
  4. Select Policies on the left-side pane
  5. Select Certificate-based authentication from the list of shown methodsEnable_Azure_AD_Certificate_Based_Authentication_3.png
  6. Select Configure
  7. Set the desired default protection-level as Multi-factor authentication. During a successful authentication event that uses CBA, this configuration will determine if the authentication event satisfies multi-factor authentication for Conditional Access Policies.
    Enable_Azure_AD_Certificate_Based_Authentication_5.png
  8. Select Save


Configure Username Binding Policy

The username binding policy helps validate the user in the Entra ID tenant. Entra ID CBA defaults to map Principal Name from the certificate to UserPrincipalName on the user object.

  1. Sign into the Azure Portal as an Authentication Policy Administrator.
  2. Select Azure Active Directory -> Security from the menu on the left-side pane
  3. Select Authentication methods on the left-side pane
  4. Select Policies on the left-side pane
  5. Select Certificate-based authentication from the list of shown methodsEnable_Azure_AD_Certificate_Based_Authentication_3.png
  6. Select Configure
  7. Beneath the username binding section. Select the highest priority certificate attribute that will be used for mapping and then from the drop-down select the corresponding user attribute that will complete the mappingEnable_Azure_AD_Certificate_Based_Authentication_6.png
  8. If multiple bindings will be attempted, make sure the highest priority binding is at the top of the list
  9. See this Microsoft guidance for more details
  10. Once all the bindings have been completed and prioritized, select Save