Certificate-based Authentication for Entra ID

Certificate-based authentication offers a strong security alternative for accessing Entra ID resources. This article provides a walkthrough of how to configure this method, utilizing SCEPman as the Certificate Authority to streamline certificate management.

Enable SCEPman CRL

Entra ID will require a CRL to validate the certificates. Make sure to set the following environment variables in your app service for the CRL to be available:

AppConfig:CRL:RequestToken

Set this to a custom string that will be used in the URL to allow the CRL to be downloaded.

AppConfig:CRL:Source

This is the source that SCEPman builds the CRL from. Make sure that this is set to Storage

Setup Entra ID

1

Create PKI in Entra Security Center

In Entra ID, navigate to Protection > Security Center > Public Key Infrastructure, click on Create PKI and select a matching display name.

2

Add Certificate Authority

Navigate to the newly created PKI and click on Add certificate authority to upload the CA certificate of your SCEPman instance. This certificate can be obtained from its homepage in the menu on the right side (Get CA Certificate).

For the Certificate revocation list URL you can enter the URL in the following format:

https://scepman.contoso.com/crl/pem/{YourCrlRequestToken}

This should now leave you with a certificate authority similar to the following:

3

Enable CBA in Authentication Methods

With the CA in place, we can go on and enable certificate based authentication in Protection > Authentication methods > Policies

Go to the Certificate-based authentication policy, enable it and allow either all users or specific groups to use this method:

4

Configure Certificate-based Authentication

Switch to the Configure tab and go through the options:

Require CRL validation: ✅

This is an essential part of the security this method provides as the CRL will tell Entra ID which certificates have been revoked and shall therefore not be allowed for authentication.

Issuer Hints : ✅

Enabling the issuer hints will only show certificates during authentication, that are issued by the configured CA.

Leave the default settings for authentication binding and go on to create a rule to allow the earlier created certificate authority:

Authentication strength:

This defines the weight of the authentication using this CA. If you select Single-factor authentication, another authentication method can be necessary depending on the application to be accessed.

Affinity binding:

The affinity binding defines the required details in the certificate, that needs to match correlating data in the user object, for the authentication to be allowed. As SCEPman can currently not add any certificate information in user object we recommend to set this to Low unless you configure the required information manually.

Usage

With the configuration being in place, a user can select Use a certificate or smart card:

Which will in turn ask for the certificate to be used for authentication.

Manually adding certificate mapping for high affinity binding

In case you want to enable CBA only using high affinity binding you can manually enter the certificates details in the authorized information of the user.

Navigate to the users properties in Entra ID, edit them and now edit the Certificate user IDs:

The required format of these IDs depends on the fields that have been configured in the authentication methods user binding. A list of formats can be found in the corresponding Microsoft documentation.

Example for the SHA1PublicKey binding:

X509:<SHA1-PUKEY>9600e49d740011187e5c734bab4a3d5d18d2a87a

This is using the certificates thumbprint to strongly map the identity of the user.

Last updated

Was this helpful?