How can we improve Azure Active Directory?

← Azure Active Directory

Certificate-Based Authentication (CBA) without Federation

I would like to be able to use certificate-based authentication without the need for federation so users don’t have to enter username/password for the numerous Office mobile apps.

We use Pass Through Authentication (PTA) to authenticate our Azure AD uses against our on-premises AD, and we’d prefer not to have to implement a fault tolerant ADFS infrastructure for our 200 users. We have a Certificate Authority and have implemented Intune to push user certificates to staff mobile devices.

The article below indicates CBA does work without federation for Exchange ActiveSync (EAS), so can this be expanded to work with Microsoft mobile apps (Word/Excel/PowerPoint/Outlook/OneDrive/etc)?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-get-started

52 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Matt Moore shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

7 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Am I interpreting correctly, that currently only ADFS-Based CBA is possible for EAS?

  • HP commented  ·   ·  Flag as inappropriate

    I have enabled CBA with Azure AD this feature without federation and using EAS client with Certbase auth but unable to find any logs. It's working but Where should I find auth logs?

  • Anonymous commented  ·   ·  Flag as inappropriate

    It would be nice if we could CBA without ADFS. We must keep 5 servers only for CBA.

  • Ernesto commented  ·   ·  Flag as inappropriate

    Honestly, I would love to have this as a feature for our customers. The whole point of AAD is to help reduce the on-premises footprint of their infrastructure.

    That being said, I recognize its implementation can be a difficult one based on the current model of shared tenant model for AAD and Office 365.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Client certificate based authentication enables a great user experience to Office365 when using ADFS or with Exchange Online (ActiveSync), would really like to see this extended to AAD based un-federated users. This level of strong authentication is a pre-requisite for many organisations, particularly governmental, to consider Office365.

Azure Active Directory: Authentication

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice