News

Microsoft Commercially Releases Azure Active Directory Certificate-Based Authentication for Mobile Devices

• By Kurt Mackie
• 05/05/2023

Microsoft this week announced that its Azure Active Directory Certificate-Based Authentication (CBA) scheme for "phishing-resistant" authentications is now commercially released and ready for use with mobile devices.

Azure AD CBA is a replacement for federation-based authentications, such as Microsoft's own Active Directory Federation Service (ADFS). ADFS is a Windows Server role that authenticates using a customer's Active Directory infrastructure but connects with the Azure AD identity service. Microsoft previewed Azure AD CBA more than a year ago, and it reached the "general availability" commercial release status during the Microsoft Ignite event that took place back in Oct. 2022.

Now, Azure AD CBA has reached the general availability status for use with mobile devices, such as devices running the Android or iOS operating systems. Azure AD CBA for mobile devices ties a personal identification number (PIN) to hardware, which makes phishing attacks to gain access to passwords less effective since attackers don't know the PIN.

Mobile device users can use on-device certificates or external hardware keys (principally Yubico YubiKeys) to enable the Azure AD CBA scheme, according to Alex Simons, corporate vice president of product management for Microsoft Identity, in the announcement:

We support both on-device certificates and external hardware security keys, like YubiKeys over USB or NFC on iOS and Android devices. With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant multi-factor authentication (MFA) on mobile without having to provision certificates on the user's mobile device.

The Azure AD CBA service is being offered for free by Microsoft to all Azure AD subscribers, including users of the free Azure AD subscription. The service allows users to authenticate using X.509 certificates directly with Azure AD, which simplifies the infrastructure that's used and apparently offers greater security over the federated approach with ADFS. The overall Azure AD CBA approach is described in this Microsoft document.

The use of Azure AD CBA with devices comes with lots of nuances. For instance, "on macOS, Azure AD CBA is supported on all browsers and on Microsoft first-party applications," per this Microsoft document on iOS and macOS support. However, there no support at present for "device-based sign-in to macOS machines," so a certificate from a browser or desktop application needs to be used instead.

In contrast, for iOS devices, "Azure AD CBA is supported for certificates on-device on native browsers and on Microsoft first-party applications on iOS devices," per the document. By "native browsers," Microsoft means that only Apple's Safari browser is supported.

Support for Android devices using Azure AD CBA appears to be similar to iOS support in that "Azure AD CBA is supported for certificates on-device on native browsers, and on Microsoft first-party applications on Android devices," according to this document on Android support. Azure AD CBA is currently supported only via the Google Chrome browser, per that document.

Microsoft generally stated that "applications using latest MSAL libraries or Microsoft Authenticator can do CBA." Microsoft began a switch over to MSAL (Microsoft Authentication Library) and the Microsoft Graph a few years ago for applications using its identity service. It replaced an older approach that used the Azure Active Directory Authentication Library (ADAL) and the Azure Active Directory Graph API.