Microsoft Adds Improvements to Certificate-Based Authentication Preview -- Redmondmag.com

Microsoft Adds Improvements to Certificate-Based Authentication Preview

By Kurt Mackie
07/27/2022

Microsoft on Wednesday announced improvements to its Azure Active Directory Certificate-Based Authentication (CBA) preview, which promises to provide an alternative to federated-based authentication methods.

Azure AD CBA will allow organizations to stop using the Microsoft's Active Directory Federation Service (ADFS) on premises. ADFS is a Windows Server role that's used for authentications on an organization's infrastructure in conjunction with the Azure Active Directory identity and access management service operated by Microsoft.

In February, Microsoft announced the public preview of Azure AD CBA. This week, it described enhancements to that preview, some of which were prompted by customer feedback.

Microsoft has enhanced the preview to now let IT pros use the Azure Portal for certain Azure AD CBA tasks, instead of requiring the use of PowerShell. With the Azure Portal, IT pros can now:

Upload certificate authorities (root CA and all the intermediate CAs) to Azure AD 
View all the trusted certificate authorities uploaded to the Azure AD 
Delete the CAs if they're not valid 
Easily see the validity of the certificate based on the certificate expiry date.

The Azure AD CBA preview also now supports Windows 11 version 22H2 client authentications via X.509 certificates on smartcards. With this approach, joined or "hybrid"-joined devices get single sign-on access to "all applications integrated with Azure AD," the Wednesday announcement indicated.

Microsoft plans to add support for X.509 certificates on smartcards to the Windows 10 and Windows Server operating systems at some point, as well.

The Azure AD CBA preview also supports certificates that were provisioned on Android and iOS mobile devices. This approach currently works with "native browsers and a list of Microsoft applications." The list included mobile Office apps, the Microsoft Intune Company Portal and the Azure Information Protection app.

Microsoft also indicated that it is working to add "external smart cards support on mobile devices" to the Azure AD CBA service at some point.

Microsoft doesn't charge organizations to use its Azure AD CBA service, which is free across all Azure AD product tiers. The Azure AD CBA services promises to deliver "phishing-resistant" multifactor authentication for organizations. It also helps with compliance issues, such as stipulations by the Biden administration in Executive Order 14028, Microsoft contends.

In essence, Microsoft touts Azure AD CBA as simplifying network configurations for organizations. It eliminates the need to use ADFS, which is illustrated in this Microsoft "Overview" document.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.