How-To: Enable Phishing Resistant Authentication in Entra ID Domain

Prerequisites

1. If you are enabling smart card authentication Entra CBA (Highly recommended for full phishing resistant authentication), you must have a Certificate Authority either by Creating an EZCA CA or Creating a ADCS CA
2. To Enable Seamless Passwordless onboarding you also must register the EZCMS App in the tenant you are registering and create your EZCMS resource

Introduction - Setting up your Entra ID Domain for Passwordless Authentication

Once your organization wide settings are set, we have to register your Entra ID domain(s). This might be a bit confusing if you are using this in the commercial space, but since EZCMS was designed to meet the highest government and security standards, you have to register each domain individually. This allows you to manage multiple domains within your organization all within the same tool. In this document we will go over how to register a new domain, set the domain requirements and connect a CA.

How To Add Entra ID Domain to EZCMS for Phishing Resistant Authentication

1. Navigate to your EZCMS instance and select “Domain Settings”

   Note

    You must be an administrator for this option to appear.
    </div>
   
    ![Manage Passwordless Domains Menu](/images/ezsc/DomainsMenu.png)
   

2. Enter your domain ID (Azure Tenant ID)

3. Enter domain name.

1. If you have alternate domains you can add them in the “Additional domain settings” section, this is useful for organizations that have multiple verified domains in their tenant or have different UPN suffixes.

2. Now your domain settings should look something like this (if you don’t have alternate domains you can ignore the additional domain settings section):

3. If you have clearances set up in your HR database, you can also select the clearance requirements for this domain in the “Clearance Requirements” Section. This will make sure that only users that meet the clearance requirements will be able to see this domain when they go to onboard.

   Note

   Clearances are set by you in the HR database, this can be from certain background checks, to actual government clearances. Anyone that doesn’t meet the clearance requirements will not be able to see the domain.

4. The “Allowed Bootstrapping Credentials” section enables you to select which credential types are allowed to create a smart card for this domain. Depending on your plan you will have some of the following options:

   1. Government ID and Face Recognition The user scans their face and a government ID, EZCMS uses AI to validate the validity of the ID as well as the match with the user.
   2. Multi-factor Authentication The user can use their existing domain credentials to create a smart card for this domain. (This option should be enabled for renewals and can also be leveraged by existing domains that are moving to passwordless authentication)
   3. Other Domain Multi-factor Authentication If like Keytos, your organization uses Identity Isolation to protect their environments, you can enable the user’s identity from your other domains to create a smart card for this domain.
   4. IT Desk Smart Card Creation For highly regulated industries, physical presence and verification is required to create the smart card, this option enables your IT desk to create the Smart Card on behalf of the user.

5. For multi-tenant organizations the aliases of a secondary domain might not match the aliases of the main domain, to solve this issue EZCMS supports user mapping. To enable this select the “Use custom UPNs for this domain option.

6. Select if you are doing both FIDO2 and SmartCard authentication or just one of them in the “Allowed Domain Credentials to Create” section. Watch this video to learn about different authentication methods and help decide which one is best for you.

   1. SmartCard SmartCard Authentication is the oldest unphishable authentication method, this uses a Certificate Authority to create a smart card certificate that then is used for certificate authentication. In the past, this authentication method was mostly used by governments or organizations that have high security methods. However, now that Azure Certificate based authentication and EZCMS make it easier to use smart card authentication, more organizations are moving to FIDO2 + SmartCard Authentication.
   2. FIDO2 Since SmartCard Authentication required a lot of infrastructure to setup, the FIDO alliance created an easier to implement cryptographic authentication method where instead of needing such a large infrastructure deployment, organizations could easily adopt by using a cloud based identity provider such as Azure.

How To Setup Smartcard Settings for Entra CBA

If you have enabled Smartcard Authentication, a “Smartcard Settings” section will appear. In this section, you can select the cryptographic key type for the smart cards created for this domain as well as the smart card slot. If you don’t have a preference, leave the default settings for this section, since these are the most common settings that work with most hardware tokens.

What is Entra CBA High Affinity Smart Cards

After the cryptographic settings of the card, you will see a checkbox to enable high affinity in Entra ID. We have a blog post that explains if you should enable high affinity for your smart cards if you are using high affinity in Entra CBA, this checkbox will save the certificate in the users object saving you from having to manually save each user’s smart card certificate in their user object in Entra ID.

How to add a second certificate to the same YubiKey for Email Encryption and MacOS Keychain Access Encryption

If you are using smart cards for authentication, you can also use them for encryption. This is especially useful for MacOS users since if they are using their smart card for authentication MacOS cannot use the password to encrypt the keychain, instead Apple Requires to have a certificate in 9d in addition to the 9a certificate used for authentication. To achieve this, you will have to select the option to have an additional certificate in a different slot.

1. Enable “Enable additional certificate slots”
2. If you are going to use this certificate for encryption, we highly recommend selecting the “Backup Secondary Key” option, this has the service automatically backup the additional certificate to the user’s profile, so in case the user loses their hardware token they can register a new one and have a certificate with the same key issued without losing access to their encrypted data.
3. Select the slot you want the additional certificate to be created in (For MacOS keychain encryption it has to be 9d)

How To Have Multiple Identities (Alternative or Admin Accounts) in one YubiKey

Many organizations have users with multiple identities, for example a user might have their regular account and an administrator account that is used for privileged access, or a breakglass account. In this case, we can add what we call “Alternative” Accounts to the same tenant, these are accounts usually have a prefix such as “alt-” or “admin-” to differentiate them from the regular accounts. Instead of having to create another user in EZCMS and have to have the users manually manage both of their credentials, you can create an alternative account in EZCMS. This will even allow the user to have both accounts on the same YubiKey. To enable this feature you just have to fill out the “Domain Alternative Accounts” Section of the domain (You can have as many of these as you need).

1. Enter the prefix or suffix of the alternative accounts.
2. Select the bootstrapping authentication methods you would like to enable for this alternative account Note: these have to be a subset of the domain bootstrapping methods”.
3. Select any clearance requirements for this alternative account.
4. Select the credential types you want for this alt account (FIDO2, SmartCard or both).
5. Select the cryptographic key type required for this alternative account.
6. Select the SmartCard Slot for this alternative account. If using the same hardware token as the main account, you will have to select a different slot for the alternative account. If your users will use different hardware tokens, then we recommend using 9A which is the default slot for Smartcard authentication. Now when a user has an account that matches the prefix or suffix you entered, they will be able to use the same hardware token to authenticate to both accounts.

How to Connect Your Certificate Authority (CA) For Entra CBA

If you selected SmartCard as one of the authentication methods, you will have to connect a CA. EZCMS Supports connecting EZCA an Azure Based PKI and Windows ADCS CAs for certificate creation.

How To Connect EZCA CA For Cloud Based PKI for Entra CBA

1. Enter https://portal.ezca.io as the agent URL.
2. Open EZCA in another tab.
3. Navigate to Certificate Authorities
4. Click “View Requirements” on your SmartCard CA
5. Copy your CAID
6. Go back to your EZCMS Tab
7. Paste the CAID in the CA Details CAID field.
8. Click “Test Connection”
9. If the connection is successful add the CA
10. Repeat these steps for all your CAs.
11. Save the domain by clicking “Register Domain at the top.

How To Connect ADCS CA for Entra CBA

1. Enter your public facing agent URL.
2. Enter the CA name with the format fqdn\CA Name
3. Enter the template name of the smart card template you created.
4. Click “Test Connection”
5. If the connection is successful add the CA
6. Repeat these steps for all your CAs.
7. Save the domain by clicking “Register Domain at the top.