Certificate-Based Authentication (CBA) without Federation
I would like to be able to use certificate-based authentication without the need for federation so users don’t have to enter username/password for the numerous Office mobile apps.
We use Pass Through Authentication (PTA) to authenticate our Azure AD uses against our on-premises AD, and we’d prefer not to have to implement a fault tolerant ADFS infrastructure for our 200 users. We have a Certificate Authority and have implemented Intune to push user certificates to staff mobile devices.
The article below indicates CBA does work without federation for Exchange ActiveSync (EAS), so can this be expanded to work with Microsoft mobile apps (Word/Excel/PowerPoint/Outlook/OneDrive/etc)?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-get-started

7 comments
-
Anonymous commented
Am I interpreting correctly, that currently only ADFS-Based CBA is possible for EAS?
-
HP commented
I have enabled CBA with Azure AD this feature without federation and using EAS client with Certbase auth but unable to find any logs. It's working but Where should I find auth logs?
-
Joe Stocker commented
FYI - you can now do this with Microsoft Cloud App Security Conditional Access App Control. https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-aad
-
Anonymous commented
It would be nice if we could CBA without ADFS. We must keep 5 servers only for CBA.
-
Joshua Toon commented
This would be awesome. I'm a little surprised that it isn't supported yet?
-
Ernesto commented
Honestly, I would love to have this as a feature for our customers. The whole point of AAD is to help reduce the on-premises footprint of their infrastructure.
That being said, I recognize its implementation can be a difficult one based on the current model of shared tenant model for AAD and Office 365.
-
Anonymous commented
Client certificate based authentication enables a great user experience to Office365 when using ADFS or with Exchange Online (ActiveSync), would really like to see this extended to AAD based un-federated users. This level of strong authentication is a pre-requisite for many organisations, particularly governmental, to consider Office365.