Microsoft has announced the public preview of Azure Active Directory certificate-based authentication across its commercial and U.S. government clouds, a response to President Joe Biden’s executive order on cybersecurity designed to push the government to zero trust.
The offering is designed to help government customers meet phishing-resistant MFA using the PIV/CAC cards, and it can also help organizations move towards zero trust and passwordless authentication.
Today’s news: Azure AD support for certificate-based authentication is now in public preview. Great way to go passwordless and strengthen your Zero Trust security! https://t.co/lviRGewoTV
— Alex Simons (@Alex_A_Simons) February 14, 2022
Vimala Ranganathan, product manager of identity security at Microsoft, says Azure AD certificate-based authentication (Azure AD CBA) allows for users to authenticate using X.509 certificates on their smartcards or devices directly against Azure AD for browser and application sign-in.
The key benefits, Ranganathan says, include higher security with phish-resistant authentication, cost and risk reduction with on-premises federation infrastructure, a simplified management experience in Azure AD and meeting the requirements of Executive Order 14028.
In a Tech Community blog, Ranganathan says authentication using X.509 certificates against Azure AD previously required a federated identity provider (IdP) such as AD FS. With Azure AD CBA, customers can authenticate directly against Azure AD without the need for a federated IdP.
According to Microsoft, these are the steps an admin should take to enable CBA:
- Privileged Authentication Admin: Upload the root, intermediate and issuer certificates. Configure Certificate Authority.
- (Optional) Authentication Policy Admin: Configure authentication bindings (MFA). All certs bind to signal-factor auth by default.
- (Optional) Authentication Policy Admin: Configure username binding. Binds principal name to UPN by default.
- Authentication Policy Admin: Enable Certificate-based authentication.
Once end users type in a User Principal Name (UPN), they will see a “sign in with a certificate” link on the password screen. They will then be prompted to select the correct client certificate.
Ranganathan notes that if CBA is enabled on the tenant, all users in the tenant will see the link to sign in with a certificate on the sign-in page. Only users in the scope for CBA will be able to authenticate successfully against Azure AD, and the rest will see a failure.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply