#AzureAD Certificate Based Authentication is Generally Available

December 15, 2016 Chris Spanougakis No comments exist

How can you make the authentication mechanism to be a secure one? Try certificates and Certificate-based authentication. What you can actually use today, especially if you want to use your mobile device?

Take a look at these two articles that focus on certificate-based authentication for Android and iOS: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-android and https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-ios#getting-started

That feature was actually in preview, but now is GA. Today’s announcement focuses on two specific scenarios:

1. Federated Azure AD customers can sign in using certificate-based authentication (performed against the federation server) with Office applications on iOS and Android. The chart below outlines the support for certificate-based authentication across Office applications:

clip_image002

2. Azure AD customers can sign in using certificate-based authentication with Exchange ActiveSync mobile apps in iOS and Android when signing in to Exchange Online.

 

Requirements for iOS

The device OS version must be iOS 9 and above.

A federation server must be configured.

Microsoft Authenticator is required for Office applications on iOS.

For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:

  • http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>
    (The serial number of the client certificate)
  • http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>
    (The string for the issuer of the client certificate)

Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.

As a best practice, you should update the ADFS error pages with the following:

  • The requirement for installing the Microsoft Authenticator on iOS
  • Instructions on how to get a user certificate.

 

Requirements for Android

The device OS version must be Android 5.0 (Lollipop) and above.

A federation server must be configured.

For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:

  • http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>
    (The serial number of the client certificate)
  • http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>
    (The string for the issuer of the client certificate)

Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.

As a best practice, you should update the ADFS error pages with instructions on how to get a user certificate.
For more details, see Customizing the AD FS Sign-in Pages.

Some Office apps (with modern authentication enabled) send ‘prompt=login’ to Azure AD in their request. By default, Azure AD translates this in the request to ADFS to ‘wauth=usernamepassworduri’ (asks ADFS to do U/P auth) and ‘wfresh=0’ (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Just set the ‘PromptLoginBehavior’ in your federated domain settings to ‘Disabled‘. You can use the MSOLDomainFederationSettings cmdlet to perform this task:

Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled

 

Thanks for reading!

Leave a Reply