Setup Instructions
The following guide describes how to set up Microsoft Entra ID Active Directory (EIAD) Certificate Based Authentication (CBA). See the following guide for a high-level overview of the AAD CBA solution.
Prerequisites
- Office 365 or Microsoft Entra ID free tier or greater.
- Be a member of the Global Administrator group and the Authentication Policy Administrator within the Azure tenant.
- Have the smart card issuing Certificate Authority (CA) and any intermediate Certificate Authorities public certificates available.
- Have access to a user certificate which has been issued from a trusted Public Key Infrastructure (PKI) configured on the tenant.
- Have a Certificate Revocation List (CRL) accessible to Microsoft Entra ID over HTTP.
Steps
Upload the Certificate Authority public certificate chain
- Sign into the Microsoft Entra ID Portal as a Global Administrator
- Select Azure Active Directory -> Security from the menu on the left-side pane
- Select Certificate authorities from the left-side pane
- Select Upload
- Locate and select the Certificate Authority file from your local device
- Select Yes if the CA is a root certificate, otherwise select No
- Similarly, upload additional certificates in the Certificate Authority certificate chain.
- Set the HTTP internet-facing URL for the Certification Authority's base CRL that contains all revoked certificates
- Optional: Set the Delta CRL URL
- Click Add
Enable CBA as an Authentication Method
Entra ID CBA can be enabled as a method for all users or subsets of users in the tenant.
- Sign into the Azure Portal as an Authentication Policy Administrator.
- Select Azure Active Directory -> Security from the menu on the left-side pane
- Select Authentication methods on the left-side pane
- Select Policies on the left-side pane
- Select Certificate-based authentication from the list of shown methods
- Select Enable and Target
- Toggle the switch to Enable the method
- Select Include and select the users that will be allowed to use CBA as an authentication method
- Optional: Select Exclude to list users that will not be allowed to use CBA as an authentication method
- Select Save
Configure Authentication Binding Policy
The Authentication Binding policy helps determine the strength of authentication to either a Single-factor or Multi-factor by assigning a protection-level. The default value is Single-factor and can be changed by an administrator. Microsoft Entra ID supports creating policies using the certificate issuer Subject or certificate OIDs for determination of the protection level. For simplicity this guide will only describe setting the default protection level.
- Sign into the Azure Portal as an Authentication Policy Administrator.
- Select Azure Active Directory -> Security from the menu on the left-side pane
- Select Authentication methods on the left-side pane
- Select Policies on the left-side pane
- Select Certificate-based authentication from the list of shown methods
- Select Configure
- Set the desired default protection-level as Multi-factor authentication. During a successful authentication event that uses CBA, this configuration will determine if the authentication event satisfies multi-factor authentication for Conditional Access Policies.
- Select Save
Configure Username Binding Policy
The username binding policy helps validate the user in the Entra ID tenant. Entra ID CBA defaults to map Principal Name from the certificate to UserPrincipalName on the user object.
- Sign into the Azure Portal as an Authentication Policy Administrator.
- Select Azure Active Directory -> Security from the menu on the left-side pane
- Select Authentication methods on the left-side pane
- Select Policies on the left-side pane
- Select Certificate-based authentication from the list of shown methods
- Select Configure
- Beneath the username binding section. Select the highest priority certificate attribute that will be used for mapping and then from the drop-down select the corresponding user attribute that will complete the mapping
- If multiple bindings will be attempted, make sure the highest priority binding is at the top of the list
- See this Microsoft guidance for more details
- Once all the bindings have been completed and prioritized, select Save