As you may already know, you can use certificate-based authentication whit Active Directory Federation Service (ADFS).
Well, good news, you can now also enable certificate-based authentication with Azure AD without the need to deploy a federation service infrastructure.
You will still need to have properly deployed and configured your Public Key Infrastructure (PKI), which makes sense as this is the PKI which provides certificates management capability.
Now, if you want to enable certificate-based authentication with Azure AD you will need to have configured your certificate authority (CA) to provide a CRL distribution point (CDP) using HTTP – OCSP or LDAP URL’s are not supported.
Then you will have to make your CRL distribution point available to internet – you can use Azure AD Application Proxy to publish it.
This also means your users must be managed by Active Directory and synchronized with Azure AD and you have authorized your users to request a User certificate (which should be by default when you deploy a PKI).
To allow end-users requesting certificates you can either publish the “certsrv” virtual directory or use the Intune Certificate Connector and Intune policies (SCEP certificate profile) to generate the certificate on behalf of the user (see https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep).
Once you have done this and validated your CRL distribution point is available from Internet you can now start configuring Azure AD to use certificate-based authentication.
The following scenarios are supported:
- User sign-ins to web browser-based applications on all platforms.
- User sign-ins on mobile native browsers.
- Support for granular authentication rules for multifactor authentication by using the certificate issuer Subject and policy OIDs.
- Configuring certificate-to-user account bindings by using the certificate Subject Alternate Name (SAN) principal name and SAN RFC822 name.
The following scenarios aren’t supported:
- Public Key Infrastructure for creating client certificates. Customers need to configure their own Public Key Infrastructure (PKI) and provision certificates to their users and devices.
- Certificate Authority hints aren’t supported, so the list of certificates that appears for users in the UI isn’t scoped.
- Windows login using smart cards on Windows devices.
- Only one CRL Distribution Point (CDP) for a trusted CA is supported.
- The CDP can be only HTTP URLs. We don’t support Online Certificate Status Protocol (OCSP), or Lightweight Directory Access Protocol (LDAP) URLs.
- Configuring other certificate-to-user account bindings, such as using the subject field, or keyid and issuer, aren’t available in this release.
- Currently, password can’t be disabled when CBA is enabled and the option to sign in using a password is displayed.
You will need to use Azure AD PowerShell module – version 184.108.40.2063 or later (currently 220.127.116.11).
Install-Module -Name AzureAD
Then you will need to retrieve the Trusted Certificate Authority currently configured for your tenant; you should find your CA
Publish your CA
If you don’t see your CA from the previous command, use the commands
$cert=Get-Content -Encoding byte “[LOCATION OF THE CER FILE]” (Base-64 CER format)
$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$new_ca.crlDistributionPoint=”<CRL Distribution URL>”
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
Remove a CA
You can remove a CA by using the commands
Remove-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c
Enable certificate-based authentication
Now you have your PKI in place with your CA certificate available in Azure AD, you can enable the certificate-based authentication from the Azure AD portal (https://aad.portal.azure.com/).
The Authentication Methods available in Azure AD are configured from the Azure AD\Security\Authentication methods\Policies blade
You can make the certificate-based authentication available for all users or selected group of users
After enabling the certificate-based authentication, you need to configure the authentication method; by default, certificate-based authentication is set for single factor authentication but you can switch to MFA too.
Then you must add rules to configure the CA to use for generating the user certificate or the OID policy
You can add multiple rules with the first rule having the highest priority.
Now, your users will then be able to sign-in with a certificate if they have a valid user certificate; depending of your authentication method policies, they may need to click on Other ways to sign in first to be able to select Sign in with a certificate.
When selecting sign in with a certificate a certificate selection pop-up will appear to let the user select the certificate to use