How To Enable Phishing Resistant Authentication in Entra ID Domain

Prerequisites

  1. If you are enabling smart card authentication Entra CBA (Highly recommended for full phishing resistant authentication), you must have a Certificate Authority either by Creating an EZCA CA or Creating a ADCS CA
  2. To Enable Seamless Passwordless onboarding you also must register the EZCMS App in the tenant you are registering and create your EZCMS resource

Introduction - Setting up your Entra ID Domain for Passwordless Authentication

Once your organization wide settings are set, you can register a new domain or manage your existing domains. In this document we will go over how to register a new domain, set the domain requirements and connect a CA.

How To Add Entra ID Domain to EZCMS for Phishing Resistant Authentication

  1. Navigate to your EZCMS instance and select “Domain Settings”

    You must be an administrator for this option to appear.

    Manage Passwordless Domains Menu
  2. Enter your domain ID (Azure Tenant ID)
  3. Enter domain name.

    Domain name is all the text after the @, for example for jake@keytos.io the domain name is keytos.io

  4. Set your clearance requirements for this tenant.

    Clearances are set by you in the HR database, this can be from certain background checks, to actual government clearances. Anyone that doesn’t meet the clearance requirements will not be able to see the domain.

  5. The “Allowed Bootstrapping Credentials” section enables you to select which credential types are allowed to create a smart card for this domain. Depending on your plan you will have some of the following options:
    1. Government ID and Face Recognition The user scans their face and a government ID, EZCMS uses AI to validate the validity of the ID as well as the match with the user.
    2. Multi-factor Authentication The user can use their existing domain credentials to create a smart card for this domain. (This option should be enabled for renewals and can also be leveraged by existing domains that are moving to passwordless authentication)
    3. Other Domain Multi-factor Authentication If like Keytos, your organization uses Identity Isolation to protect their environments, you can enable the user’s identity from your other domains to create a smart card for this domain.
    4. IT Desk Smart Card Creation For highly regulated industries, physical presence and verification is required to create the smart card, this option enables your IT desk to create the Smart Card on behalf of the user. Passwordless bootstrap identities for Entra ID without TAP
  6. For multi-tenant organizations the aliases of a secondary domain might not match the aliases of the main domain, to solve this issue EZCMS supports user mapping. To enable this select the “Use custom UPNs for this domain option. Custom UPN for domain
  7. Select the cryptographic key type required for this domain.
  8. Select the authentication methods you would like to enable in this tenant. Watch this video to learn about different authentication methods and help decide which one is best for you. Enable Entra ID passwordless authentication
    1. SmartCard SmartCard Authentication is the oldest unphishable authentication method, this uses a Certificate Authority to create a smart card certificate that then is used for certificate authentication. In the past, this authentication method was mostly used by governments or organizations that have high security methods. However, now that Azure Certificate based authentication and EZCMS make it easier to use smart card authentication, more organizations are moving to FIDO2 + SmartCard Authentication. SmartCard Authentication Before EZCMS and Entra CBA
    2. FIDO2 Since SmartCard Authentication required a lot of infrastructure to setup, the FIDO alliance created an easier to implement cryptographic authentication method where instead of needing such a large infrastructure deployment, organizations could easily adopt by using a cloud based identity provider such as Azure.

      We recommend enabling both FIDO2 and SmartCard authentication, giving your users the ability to use the most convenient authentication method when using they hardware token, since in some cases it might not be possible to use a FIDO2 key or a SmartCard and this way they always have a hardware protected credential to use.

How To Have Multiple Identities (Alternative or Admin Accounts) in one Yubikey

Many organizations have users with multiple identities, for example a user might have their regular account and an administrator account that is used for privileged access, or a breakglass account. In this case, we can add what we call “Alternative” Accounts to the same tenant, these are accounts usually have a prefix such as “alt-” or “admin-” to differentiate them from the regular accounts. Instead of having to create another user in EZCMS and have to have the users manually manage both of their credentials, you can create an alternative account in EZCMS. This will even allow the user to have both accounts on the same Yubikey. To enable this feature you just have to fill out the “Domain Alternative Accounts” Section of the domain (You can have as many of these as you need).

  1. Enter the prefix or suffix of the alternative accounts. Enable Multiple Entra ID Identities in one Yubikey
  2. Select the bootstrapping authentication methods you would like to enable for this alternative account Note: these have to be a subset of the domain bootstrapping methods”.
  3. Select any clearance requirements for this alternative account.
  4. Select the credential types you want for this alt account (FIDO2, SmartCard or both).
  5. Select the cryptographic key type required for this alternative account.
  6. Select the SmartCard Slot for this alternative account. If using the same hardware token as the main account, you will have to select a different slot for the alternative account. If your users will use different hardware tokens, then we recommend using 9A which is the default slot for Smartcard authentication. How to manage administrator accounts in Entra ID Microsoft 365 Now when a user has an account that matches the prefix or suffix you entered, they will be able to use the same hardware token to authenticate to both accounts. Administrator account onboarding for Entra ID

How to Connect Your Certificate Authority (CA) For Entra CBA

If you selected SmartCard as one of the authentication methods, you will have to connect a CA. EZCMS Supports connecting EZCA an Azure Based PKI and Windows ADCS CAs for certificate creation.

How To Connect EZCA CA For Cloud Based PKI for Entra CBA

  1. Enter https://portal.ezca.io as the agent URL.
  2. Open EZCA in another tab.
  3. Navigate to Certificate Authorities
  4. Click “View Requirements” on your SmartCard CA EZCA SmartCard CA for Entra CBA Passwordless Authentication
  5. Copy your CAID EZCA SmartCard CA Details Connect Cloud PKI for Entra CBA
  6. Go back to your EZCMS Tab
  7. Paste the CAID in the CA Details CAID field. EZCMS EZCA connection for Smartcard Issuance in Azure
  8. Click “Test Connection”
  9. If the connection is successful add the CA EZCMS EZCA add Certificate Authority
  10. Repeat these steps for all your CAs.
  11. Save the domain by clicking “Register Domain at the top. EZCMS Save new domain

How To Connect ADCS CA for Entra CBA

  1. Enter your public facing agent URL.
  2. Enter the CA name with the format fqdn\CA Name
  3. Enter the template name of the smart card template you created. EZCMS ADCS CA connection For Entra CBA Onboarding
  4. Click “Test Connection”
  5. If the connection is successful add the CA EZCMS add Microsoft Certificate Authority for Entra CBA
  6. Repeat these steps for all your CAs.
  7. Save the domain by clicking “Register Domain at the top. EZCMS Save new domain