Certificate Based Authentication against Azure AD was published GA mode last month. Here is short guide how to configure and test it.

First of all, official documentation about CBA is found links below

Certificate Based Authentication for Exchange Online

Get started with Certificate Based Authentication

CBA is now supported for both iOS and Android and eliminates username+password need for authentication.


  • Access to a certification authority (CA) to issue client certificates
  • Each CA must have a certificate revocation list (CRL) that can be referenced via an Internet-facing URL
  • Client certificates must be provisioned on mobile devices, typically done using MDM
  • For EAS clients, the RFC822 Name OR Principal Name value in the certificate’s Subject Alternative Name field must have the user’s email address


 In my case I’m using internal PKI and NDES with Intune integration to achieve certificate enrolment automatically to mobile devices. NDES is published via Web Application Proxy to Internet for mobile devices to reach NDES service outside corporate network. Basic architecture of the environment below.
Guidance how to install NDES (Network Device Enrolment Service) and how to configure Intune profiles etc. is found from links below:
Certificates are distributed via NDES to mobile devices and needs to have RFC Name OR Principal Name as “Subject Alternative Name” extension

Certificate based authentication needs to be enabled from ADFS. Because CBA is basically used only from Internet I enabled it only from extranet


Claims of Issuer and Serial Number needs to be sent to Azure AD



Azure AD – Certificate Authority needs to be published

$cert=Get-Content -Encoding byte “C:\Temp\Root CA.crt”
$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca



CBA In Action

After everything is set up is time to test iOS device with certicate based authentication to Exchange Online. As pre-requirement iOS device has been enrolled to corporate Intune to achieve MDM. When enrolment has been successful Intune certificate profiles are deployed to mobile device with correct certificates



Mail Profile – installed by the EAS profile outlook.office365.comios-profile-2

And that’s about it. Benefit configuring Azure AD CBA for Android and iOS devices is that you can have passwordless authentication against Azure AD and Exchange Online. Digital certificate is much more secure  authentication mechanism and quite easy to deploy and use from end user point of view.