Entra CBA High Affinity is a validation mode in Microsoft Entra CBA that allows organizations to map a certificate to a user account in Entra ID using the certificate’s public key. This mapping is done so that the specific certificate can be used for authentication, and it is stored in the Entra ID tenant.
We have a full blog explaining if you need High Affinity or not, but in short, you need High Affinity if you want to use the same certificate authority for multiple uses such as Intune SCEP and as a smart card for Entra CBA since it prevents a less secure certificate from being used for authentication. (Note: If you are using EZCA cloud PKI, you do not need to worry about High Affinity, as it segregates the certificates to ensure there is no impersonation.)
When setting up Entra CBA, you can enable High Affinity when setting up how you want to authenticate the specific CA. The video below walks through how to enable High Affinity in Entra CBA, and how EZCMS is the easiest way to automate the certificate registration process.
As previously mentioned, Entra CBA depends on a certificate value (usually the Subject Key Identifier (SKI)) that must be registered on a user’s profile to signify that the specific certificate can be used for Entra CBA authentication for that user. Basically, it hardcodes that the specific certificate is the one that can be used, and even if other certificates match the other requirements for that user, they cannot be used.
AADSTS50017 is a common error that means Entra ID didn’t trust the certificate. The main two reasons this happens:
