How To Enable Azure Certificate Based Authentication (Azure CBA)

Azure Certificate-Based Authentication is a new way to combat phishing that is being introduced by Microsoft. This new technology is not new in general, governments have been using it for many years but previously, it required a lot of complex infrastructure. But with Azure, all you need is your smart card and Azure CBA.

This new method of authentication not only makes it more secure but also much faster. With the use of smart cards, each user gets a smart card that has a certificate with their username. This certificate is then used to authenticate the user, removing the need to type a long password and enter a second factor code.

Now to the question that I get asked the most: “Why does Azure claim it is unphishable?”. This term is used for authentication methods that cannot be easily given away by the user, since it is almost impossible for an attacker to steal the credential as the certificate’s private key cannot leave the smart card. This video explains how using a passwordless authentication method such as FIDO2 Key or SmartCard can stop a phishing attack.

How to Set up Azure CBA in Azure

To set up Azure Certificate-Based Authentication, you need to go to Azure as a global administrator, go to Azure Active Directory -> Security ->, and click on certificate authorities. From there, you will upload a certificate Authority that you will use and provide the URL of your certificate revocation list. This will allow you to revoke certificates if needed.

Azure Portal Adding CA for Azure CBA

You will then go back to security, authentication methods and click on certificate-based authentication. Once you enable it, click the “Configure” tab. In this tab, you can configure:

1. Protection level: whether it is single factor or multi-factor. Single factor is when a certificate is pushed into computers or cellphones using InTune, while multi-factor is when a physical smart card is used, meeting 2 out of the three authentication factors: Something you have (the smart card), something you know (the smart card pin).
2. Rules: In Azure CBA rules are where you set up your CAs that can issue certificates and wether those are single factor or multi factor. While in theory you could use the same CA, I recommend having different CAs if you are issuing different types of certificates.
3. Username binding: Since the certificate is not created by Azure, Azure must have a way to tie back the certificate to the user it was created for. To do this, the CMS that issues the certificate must put the username in the Subject Alternate name. In this section, you tell Azure where to look for the username and in which order to do it.

Azure CBA Setup in Azure

How to Onboard Users to Azure CBA

As you can see in the Azure Setup, While Azure takes care of all the user authentication (Removing the need to having a full on-premises AD domain with ADFS), you are still responsible for creating your own CA and issuing the smart cards for your users. To have a fully Azure based experience I recommend using EZSmartCard an Azure based passwordless onboarding tool (It can be fully Cloud based, or it can connect to your Existing ADCS CA) that enables self-service smart card certificates.

Video Version

If you prefer to hear my beautiful voice and watch a video on this very topic, here is the youtube version of this post.