Conditional Access support for ADFS CBA
When federated identities are authenticated using CBA (Certificate Based Authentication) against ADFS, it would be nice to be able to have Azure AD recognize this in Azure AD Conditional Access rules and allow or deny access access to apps based on this.
We’ve continued to hear this feedback and have cert auth support on the roadmap. The main use case will be to allow certs to be used for strong user auth.
Adrian Seiffert commented
Highly needed! Please make it happen. Especially if you're killing Basic Auth for Active Sync in late 2021.
Is ADFS + CBA + Conditional access policies supported or it is still in roadmap ?
Totally agree. If MS's plan is to move away from ADFS (Federated Domains) to Azure AD (PTH and PTA) then adding in the Conditional Access rule for CBA would make sense. Using Windows DCOM or NDES integrations with a Windows internal CA is not an uncommon scenario.
Dries Verschaeve commented
I totally support this idea. I have several customers who use several MDM (Incl Intune) systems and block access towards O365 data from unmanaged devices. This gives issues in conditional access policies. We can provide access towards Intune compliant devices, but a device managed by a third party MDM will never by Intune compliant. We therefore need to exclude these users from the policy, providing them access from any device (including non-managed devices).
A workaround to this problem would be that Azure AD detects CBA, most third party products support it to deploy certificates towards devices for authentication. If you authenticated using CBA, you then can assume the device is managed by an MDM solution and provide access. Then you can instruct your users to always use certificate authentication on their managed device.
Peter Selch Dahl commented
As a workaround you can perform the following using claim rules. When a CBA is being performed, send MFA Claim indicating CBA as MFA.
Ulrik Skadhauge Jensen commented
This would be great to have. Extending the CA capabilities.