Certificate Based Authentication against Azure AD was published GA mode last month. Here is short guide how to configure and test it.
First of all, official documentation about CBA is found links below
CBA is now supported for both iOS and Android and eliminates username+password need for authentication.
- Access to a certification authority (CA) to issue client certificates
- Each CA must have a certificate revocation list (CRL) that can be referenced via an Internet-facing URL
- Client certificates must be provisioned on mobile devices, typically done using MDM
- For EAS clients, the RFC822 Name OR Principal Name value in the certificate’s Subject Alternative Name field must have the user’s email address
Certificate based authentication needs to be enabled from ADFS. Because CBA is basically used only from Internet I enabled it only from extranet
Claims of Issuer and Serial Number needs to be sent to Azure AD
Azure AD – Certificate Authority needs to be published
$cert=Get-Content -Encoding byte “C:\Temp\Root CA.crt”
$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
CBA In Action
After everything is set up is time to test iOS device with certicate based authentication to Exchange Online. As pre-requirement iOS device has been enrolled to corporate Intune to achieve MDM. When enrolment has been successful Intune certificate profiles are deployed to mobile device with correct certificates
Mail Profile – installed by the EAS profile outlook.office365.com
And that’s about it. Benefit configuring Azure AD CBA for Android and iOS devices is that you can have passwordless authentication against Azure AD and Exchange Online. Digital certificate is much more secure authentication mechanism and quite easy to deploy and use from end user point of view.