Use Certificate-Based Authentication in Entra with Cloud PKI

Certificate-based authentication (CBA) in Microsoft Entra enables users to authenticate to Microsoft Entra ID using X.509 certificates and sign in to applications or browsers. Certificate-cased authentication is considered to be a high-security and phish-resistant form of authentication while being available for use as a primary and secondary form of authentication.

The great part about CBA is that it is free, you don’t need any special license to use it, nor do you need to deploy any additional complex infrastructure to support it.

In this post, I will show you how to configure certificate-based authentication in Microsoft Entra ID with your Intune Cloud PKI to issue trusted certificates to end-user devices for authentication.

Single or multi-factor certificate-based authentication?

Certificate-based authentication in Microsoft Entra ID can be configured to satisfy either a single-factor (primary) authentication method, or the MFA (secondary) method. How it is configured would be dependent on the scenario. In most cases, if the end device is being controlled by a user for day-to-day tasks, it makes sense that some form of biometric authentication, on top of the issued certificate should be required, but that may not always offer the best experience.

Let’s break this down. For example, if the certificate is being issued to a mobile device, the mobile device likely already has a form of built-in biometric authentication that can be enforced using Microsoft Intune. In this case, it would be good to consider that the issued certificate should satisfy MFA for the best user experience (i.e. the user won’t have to perform biometric authentication more than once). 

On the other hand, if certificate-based authentication is being used to access a highly sensitive application, you may want to ensure additional biometric authentication is enforced when said application loads the interactive browser (or WAM) login experience. This way, the certificate satisfies the primary authentication method and your additional password-less sign-in method (such as the Microsoft Authenticator app) will satisfy MFA.

Use cases for certificate-based authentication

Certificate-based authentication in Microsoft Entra, being a strong method of authentication and phish-resistant, offers a wide range of use cases where it could be beneficial and provide additional protection. Use cases may include:

  • Providing single-factor authentication to replace passwords.
  • Satisfying Multi-factor authentication for accessing specific, sensitive resources.
  • For front-line workers, who work in fast-paced or demanding roles that need simplified access to resources. 
  • Kiosks or payment terminals for accessing specific resources.
  • For mobile devices that utilise built-in biometric authentication. 

Setting up Cloud PKI

Thankfully, setting up your Cloud PKI instance can be done in just a few clicks. The process I have documented in my post How to Setup Cloud PKI in Microsoft Intune Step by Step

Ensure that when configuring your Cloud PKI Root and Issuing CA, you configure the Client authentication Extended Key Usage.

Certificate-based auth EKU
Certificate-based auth EKU

Configure certificate-based authentication in Microsoft Entra with Cloud PKI

To configure CBA for Microsoft Entra with Cloud PKI, you need to configure your Cloud PKI, Configure CBA in Microsoft Entra and Deploy your certificates. In the below steps, I will take you through the final two stages of the process.

Download Root and Issuing CA Certificates and CRLs

The first step is to download and copy all the information we need to re-upload into Microsoft Entra. Follow the below steps to download your CA certificates and copy the CRL URL.

  1. Log in to intune.microsoft.com.
  2. Select Tenant administration > Cloud PKI.
  3. Select your Root CA.
  4. Click Download next to ‘Download certificate’.
  5. Copy the URL next to CRL distribution point.
  6. Now do the same for your Issuing CA.

Upload Cloud PKI certificates to Microsoft Entra

Now you have gathered the necessary information, you need to upload the information to Microsoft Entra. Follow the below steps to upload your Cloud PKI certificates to Microsoft Entra:

  1. Log in to entra.microsoft.com.
  2. Expand Protection and select Security Center.
  3. Under Manage, select Certificate authorities.
  4. Click Upload.
  5. Upload the Root CA file and select Yes next to Is root CA certificate.
  6. Copy and paste the Certificate Revocation List URL
  7. Click Add.
  8. Do the same for the issuing CA, but this time, select No under Is root CA certificate.

You should now see both certificates listed on the page.

Security Center Certificate Authorities
Security Center Certificate Authorities

Enable certificate-based authentication

Certificate-based authentication must be enabled as an authentication method in your environment and it must be assigned to your target users. Follow the steps below to enable the CBA authentication method in Microsoft Entra.

1. Log in to entra.microsoft.com.

2. Expand Protection and select Authentication methods.

3. On the Policies page, select Certificate-based authentication.

4. Under the Authentication binding heading, select Single-factor authentication and Low affinity binding. These are the default settings can be overridden during the next step when rules are added.

Default Entra CBA settings
Default Entra CBA settings

5. Click Add Rule.

6. Check the box next to Certificate issuer and select your issuing CA. Then select the Authenticator strength as multi-factor (or single-factor if you need) and set the Affinity binding as Low. The click Add.

CBA Entra Rule
CBA Entra Rule

7. Under Username binding, delete each row leaving the PrincipalName row active.

Entra CBA username binding
Entra CBA username binding

8. Switch to the Enable and Target tab, and ensure the Enable slider is set to On and you are targeting a specific group of users if not All users.

CBA Settings Enable and target
CBA Settings Enable and target

8. Finally, click Save at the bottom of the Certificate-based authentication settings page.

Issue client certificates using Intune

To issue certificates to your end-user devices you will need to create a SCEP device configuration profile. Follow the below steps to configure a profile to deploy certificates to your end-user devices.

1. From the Intune admin portal, select Devices > Configuration > Create > New policy.

2. Select:

  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template name: SCEP certificate

3. Define a meaningful name for your policy and click Next.

4. Leave the Certificate type (User) and Subject name format (CN={{UserName}},E={{EmailAddress}}) as the default settings.

5. In the Subject alternative name field, select User principal name (UPN) for the Attribute, then type {{UserPrincipalName}} for the Value.

Certificate type settings
Certificate type settings

6. Configure he following certificate settings:

  • Certificate validity period: 6 months
  • Key storage provider (KSP): Enroll to Trusted Platform Module (TPM) if present, otherwise Software KSP
  • Key usage: Select all
  • Key size (bits): 2048
  • Hash algorithm: SHA-2
  • Root certificate: Select the profile which deploys your Root CA (not intermediate.
SCEP settings
SCEP settings

7. Under Extended key usage, select Client Authentication (1.3.6.1.5.5.7.3.2), under the Predefined values drop-down box.

8. Leave the Renewal threshold at 20%, then copy and paste the SCEP Server URL in the text box. (This can be found at; Tenant administration > Cloud PKI > Your Issuing CA > SCEP Server URL).

9. Click Next and assign the policy to your target users.

10. Click Create to finish creating the policy.

Testing certificate-based authentication

Once your certificate is deployed, you should see it listed in the User certificate store on your Windows device. To check this, search for Run in your Windows search bar and type: certmgr.msc. You should see your certificate listed under Personal > Certificates.

If you can see the certificate, head to office.com and enter your email address. You should be redirected to your company sign-in page where you can select Use a certificate or smart card.

Use a certificate for log in
Use a certificate for log in

When you click this option, your browser to present a popup with all eligible certificates on your system. Select the new certificate and click OK.

Select the new certificate
Select the new certificate

If you selected Multi-factor for the protection level earlier in this post, then you will be logged straight in. If you selected Single-factor, you will be presented with your second MFA challenge already on your account.

The certificate validation process

When a user attempts to sign in to an app or browser that requires the use of a certificate for authentication, the following steps occur to validate and grant the user access to Microsoft Entra.

  1. The user attempts to sign into an application and is redirected to Microsoft Entra ID for sign-in.
  2. The user enters their username.
  3. Microsoft Entra ID checks if certificate-based authentication is enabled on the tenant.
  4. The user selects ‘Sign in with certificate’.
  5. Microsoft Entra ID requests the client certificate.
  6. The user is prompted to select from the available (supported) certificates on their device.
  7. Microsoft Entra ID downloads the CRL from the CA. 
  8. If the CRL is already cached and has surpassed the Next CRL Publish date, it will re-download the CRL. If the CRL cannot be downloaded, the login will fail.
  9. If the certificate is valid, the user will be signed in for single-factor.
  10. If the certificate is configured to satisfy MFA, the user will be signed in. 
  11. If the certificate is configured for single-factor only, the user will then be prompted for MFA. 
  12. The user is then successfully signed in.

Certificate-based authentication and Conditional Access

Certificate-based authentication alone is not enough. To make it most effective, it should be combined with Conditional Access policies to ensure it is enforced during login and in the correct scenarios, such as the ones I highlighted at the top of this article. 

You should consider using Authentication strengths in Microsoft Entra to enforce this stronger level of authentication using Conditional Access. For more info, check out my post: How to setup Require Authentication Strength in Conditional Access.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply