Certificate-based Authentication for Entra ID
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
Certificate-based authentication offers a strong security alternative for accessing Entra ID resources. This article provides a walkthrough of how to configure this method, utilizing SCEPman as the Certificate Authority to streamline certificate management.
Entra ID will require a CRL to validate the certificates. Make sure to set the following environment variables in your app service for the CRL to be available:
Set this to a custom string that will be used in the URL to allow the CRL to be downloaded.
This is the source that SCEPman builds the CRL from. Make sure that this is set to Storage
In Entra ID, navigate to Protection > Security Center > Public Key Infrastructure, click on Create PKI and select a matching display name.
Navigate to the newly created PKI and click on Add certificate authority to upload the CA certificate of your SCEPman instance. This certificate can be obtained from its homepage in the menu on the right side (Get CA Certificate).
For the Certificate revocation list URL you can enter the URL in the following format:
https://scepman.contoso.com/crl/pem/{YourCrlRequestToken}Make sure to include the /pem/ path in your URL as Entra might have compatibility issues when using the default DER format.
This should now leave you with a certificate authority similar to the following:
With the CA in place, we can go on and enable certificate based authentication in Protection > Authentication methods > Policies
Go to the Certificate-based authentication policy, enable it and allow either all users or specific groups to use this method:
Switch to the Configure tab and go through the options:
Require CRL validation: ✅
This is an essential part of the security this method provides as the CRL will tell Entra ID which certificates have been revoked and shall therefore not be allowed for authentication.
Issuer Hints : ✅
Enabling the issuer hints will only show certificates during authentication, that are issued by the configured CA.
Leave the default settings for authentication binding and go on to create a rule to allow the earlier created certificate authority:
Authentication strength:
This defines the weight of the authentication using this CA. If you select Single-factor authentication, another authentication method can be necessary depending on the application to be accessed.
Affinity binding:
The affinity binding defines the required details in the certificate, that needs to match correlating data in the user object, for the authentication to be allowed. As SCEPman can currently not add any certificate information in user object we recommend to set this to Low unless you configure the required information manually.
The authentication strength and affinity binding settings highly depend on the specific use case and the kind of accounts you want to protect with this authentication method. In case you want to secure highly privileged users you should think of manually adding the certificate information in their user accounts for a high affinity.
With the configuration being in place, a user can select Use a certificate or smart card:
Which will in turn ask for the certificate to be used for authentication.
In case you want to enable CBA only using high affinity binding you can manually enter the certificates details in the authorized information of the user.
Navigate to the users properties in Entra ID, edit them and now edit the Certificate user IDs:
The required format of these IDs depends on the fields that have been configured in the authentication methods user binding. A list of formats can be found in the corresponding Microsoft documentation.
Example for the SHA1PublicKey binding:
X509:<SHA1-PUKEY>9600e49d740011187e5c734bab4a3d5d18d2a87aThis is using the certificates thumbprint to strongly map the identity of the user.