News

Microsoft Eliminates Need for ADFS with Azure Active Directory Certificate-Based Authentication Preview

• By Kurt Mackie
• 02/14/2022

Microsoft on Monday announced the availability of Azure Active Directory certificate-based authentication (CBA) at the public preview stage.

CBA lets organizations authenticate with Azure AD using x.509 certificates without having to use a federation service, such as the Active Directory Federation Service (ADFS), which is a Windows Server role. In effect, with CBA, organizations can stop using Microsoft's ADFS.

"Azure AD CBA eliminates the need for federated AD FS, which helps simplify customer environments and reduce costs," Microsoft stated in an "Overview" document.

'Phishing-Resistant' Compliance
The use of Azure AD with CBA enables "phishing-resistant" authentications, allowing organizations to comply with the Biden administration's recent Executive Order 14028, Microsoft argued.

Azure AD and CBA also reduce infrastructure costs and simplify management for organizations. Organizations get the following benefits using CBA and Azure AD, per Microsoft's document:

• No need for complex on-premises deployments or network configuration.
• Directly authenticate against Azure AD.
• No management overhead or cost.

Additionally, CBA will be free with all Azure AD subscriptions. It's even free with the free Azure AD accounts.

The CBA preview is available to both public users and government users. It'll work with the privileged identity verification (PIV) and common access card (CAC) "smart cards" that typically are used by government organizations for identity and access management.

End users encountering the Azure AD plus CBA combination get prompted to sign in with a certificate, rather than a password. If an end user isn't "in scope for CBA," then the authentication will fail.

ADFS Had Issues or Was Too Complex?
The use of a federated identity provider, like ADFS, used to be a requirement for Azure AD authentications with X.509 certificates, Microsoft explained. The CBA preview is eliminating the ADFS requirement altogether.

Possibly, ADFS was too complex. It was notably abused in espionage attacks last year, which perhaps prompted Microsoft to go the CBA route.

Microsoft may have developed CBA because of last year's widespread espionage attacks by the Nobelium (also called "Solorigate") group associated with Russia, which tapped into government and industry organizations. One of the avenues of those attacks was ADFS, which was abused to generate Security Assertion Markup Language (SAML) tokens and access Exchange Online e-mail traffic. This "golden SAML" approach allowed the attackers to bypass multifactor authentication and access any federated application, according to forensic analysis by security solutions company FireEye.

Shortly after the Nobelium attacks, Microsoft had suggested that organizations had just misconfigured ADFS, leading to the exploits. However, onlookers, such as security solutions firm CrowdStrike, had bluntly described ADFS as having "architectural limitations."

When I asked Alex Weinert, director of identity security at Microsoft, if ADFS were insecure to use, he replied in July 14 Twitter post that cloud authentication was a better security approach. If organizations were to use ADFS, though, they should also use a hardware security module (HSM) with it, as described in this Microsoft document, Weinert had indicated back then.