Microsoft Adds Improvements to Certificate-Based Authentication Preview

Microsoft on Wednesday announced improvements to its Azure Active Directory Certificate-Based Authentication (CBA) preview, which promises to provide an alternative to federated-based authentication methods.

Azure AD CBA will allow organizations to stop using the Microsoft's Active Directory Federation Service (ADFS) on premises. ADFS is a Windows Server role that's used for authentications on an organization's infrastructure in conjunction with the Azure Active Directory identity and access management service operated by Microsoft.

In February, Microsoft announced the public preview of Azure AD CBA. This week, it described enhancements to that preview, some of which were prompted by customer feedback.

Microsoft has enhanced the preview to now let IT pros use the Azure Portal for certain Azure AD CBA tasks, instead of requiring the use of PowerShell. With the Azure Portal, IT pros can now:

  • Upload certificate authorities (root CA and all the intermediate CAs) to Azure AD 
  • View all the trusted certificate authorities uploaded to the Azure AD 
  • Delete the CAs if they're not valid 
  • Easily see the validity of the certificate based on the certificate expiry date.

The Azure AD CBA preview also now supports Windows 11 version 22H2 client authentications via X.509 certificates on smartcards. With this approach, joined or "hybrid"-joined devices get single sign-on access to "all applications integrated with Azure AD," the Wednesday announcement indicated.

Microsoft plans to add support for X.509 certificates on smartcards to the Windows 10 and Windows Server operating systems at some point, as well.

The Azure AD CBA preview also supports certificates that were provisioned on Android and iOS mobile devices. This approach currently works with "native browsers and a list of Microsoft applications." The list included mobile Office apps, the Microsoft Intune Company Portal and the Azure Information Protection app.

Microsoft also indicated that it is working to add "external smart cards support on mobile devices" to the Azure AD CBA service at some point.

Microsoft doesn't charge organizations to use its Azure AD CBA service, which is free across all Azure AD product tiers. The Azure AD CBA services promises to deliver "phishing-resistant" multifactor authentication for organizations. It also helps with compliance issues, such as stipulations by the Biden administration in Executive Order 14028, Microsoft contends.

In essence, Microsoft touts Azure AD CBA as simplifying network configurations for organizations. It eliminates the need to use ADFS, which is illustrated in this Microsoft "Overview" document.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube