Azure certificate-based authentication is the best way to meet executive order 14028 and protect your organization by using passwordless unphishable credentials. Azure certificate-based authentication does not only improve your security but also improves user experience and productivity, with studies showing a 4x authentication speed improvement, and 20%-50% support ticket reduction when using passwordless authentication. In this blog we will walk you through how to set it up and start using it.
First we have to create a Certificate Authority that will issue smart card certificates for the domain users. If you already have a Windows ADCS Certificate Authority set up for issuing smart card certificates, we recommend using that CA and go to Step #2. For people that do not have a Windows ADCS CA, we recommend using EZCA our cloud based certificate authority that enables you to create secure and compliant HSM backed Certificate Authorities in Azure. Once you have created your Certificate Authorities, we have to upload the certificates to Azure.
Now that you have created your certificate authorities, we must follow the following steps:
1) Go to the Azure portal as a Global Administrator.
2) Select Azure Active Directory, then in the left-hand side panel select Security.
3) Select Certificate Authorities.
4) Upload the certificate for each CA in your infrastructure. Note: make sure to add a publicly accessible CRL url for Azure to validate that the certificates have not been revoked
After setting up the Certificate Authorities that Azure should trust for user authentication, we need to set up Azure to accept certificate based authentication as an authentication method. To do this we will:
1) Navigate to Authentication Methods inside the security section.
2) Select Policies on the left hand side.
3) Click on certificate-based authentication.
4) Click on the Configure tab.
5) Select protection level (Azure defaults to Single factor since it doesn’t know if you are just going to use a certificate without a smart card or if you are going to protect that certificate, so if you are going to use smart cards, change to multi-factor authentication).
6) In the rules section set the CAs that can issue user certificates. Note: You can also set a policy ID if you are using that CA for other certificate types but PKI best practices recommend using a dedicated CA for smart card authentication
7) Select the username biding order (this is how the user name is added in the certificate) in this example we are going to use PrincipalName mapping to the user principal name which is what EZSmartCard defaults to.
8) Click Save
After the first 3 steps Azure can now accept certificates as an authentication method, but now we have to manage and create those smart cards and certificates. For this we recommend a smart card management tool such as EZSmartCard that can help you manage the smart card inventory, as well as enable several self service onboarding options for new users such as: using face ID and government ID matching, IT desk smart card assignment, or multi-factor authentication with an existing trusted identity.
Once EZSmartCard is setup, and you have created your test smart card, you can test the authentication flow by:
1) Going to the azure portal in an incognito tab.
2) Entering your username.
3) Select “Use a Certificate or smart card”
4) Select your smart card certificate
5) Enter your PIN.
6) You have successfully logged in with you smart card.
Now that you have successfully set up smart card authentication with Azure Certificate Based Authentication, you can start rolling it out to all your users. If you have any questions on how to setup Azure Certificate Based Authentication, book a free identity assessment with our identity experts.
