Skip to content

Enterprise Mobility + Security


Howdy folks,

It seems like hardly a week goes by these days without a new story of leaked credentials, malware and phishing hitting the news. These stories make it super clear that in many ways, passwords are one of the most vulnerable parts of many security regimes. In Microsoft’s Identity Division, we are doing a ton of work to give our customers options to both beef up their password security (by making passwords harder to crack and adding MFA). But our bigger goal is to eliminate the need for passwords all together. If you are a Windows 10 user and have used Windows Hello, you’ve already experienced one of our big investments in this effort to eliminate passwords through the use of biometrics.

Today’s news is another big part of that effort.

Today we’re announcing public preview for certificate based authentication for iOS and Android for Office 365. This is our first public preview of this offer, but the solution is already relatively mature and some of our largest enterprise customers (many who are “smartcard only”) are already using it to enhance the security of users accessing company resources from mobile devices.

This preview lights up 2 key scenarios:

  1. In federated Azure AD domains, Office applications on iOS and Android can perform certificate-based authentication against the federation server. The chart below outlines the support for certificate based authentication across Office applications:

    iOS

    Android

    Office clients (Word, PowerPoint, Excel)

    Supported

    Supported

    OneDrive

    Supported

    Supported

    Outlook

    Supported

    Supported

    Skype for Business

    Coming soon

    Supported

  2. Supported Exchange ActiveSync mobile apps in iOS and Android can now do certificate-based authentication to Exchange Online, for both managed and federated Azure AD domains.

How to get started?

Requirements

First things first, let’s quick go over the key requirements.

General requirements:

  1. You must have one or more certificate authority(s) that issue user certificates for authentication.
  2. Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet facing URL.
  3. User certificates must be provisioned on the mobile devices. Many people do this via Mobile Device Management (MDM) software.

For Office application support,

  1. Your Azure AD domain must be federated, and the federation provider (e.g. Active Directory sFederation Services) must be configured to perform certificate based user authentication.
  2. iOS version >= 9.0 and Android version >= Lollipop are required.
  3. On iOS, the Azure Authenticator app must be installed from the App Store.

For Exchange ActiveSync support,

  1. The RFC822 attribute in user’s certificates must match the user’s routable email address in Exchange Online. If the RFC822 attribute is not present, the UPN attribute of the certificate must match the UPN of the user in Azure AD. This is required to map the certificate to a user in Azure AD.

Configuration

This section assumes that you already have the federation server configured for certificate based authentication.

To setup these new capabilities in your environment, follow the steps below:

  1. Configure your certificate authorities in Azure AD: To leverage certificate authentication, Azure AD needs to know about your certificate authorities so it can validate user certificates and perform revocation. To do so, first install the Azure AD preview powershell module. Once connected to your tenant, run the following commands to add a new certificate authority:

    $cert=Get-Content -Encoding byte “[LOCATION OF THE CER FILE FOR THE CERTIFICATE AUTHORITY]”

    $new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation

    $new_ca.AuthorityType=0

    $new_ca.TrustedCertificate=$cert

    $new_ca. crlDistributionPoint = “[URL FOR THE CERTIFICATE REVOCATION LIST]”

    New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca

    To verify that the certificate authority is added correctly, run the Get-AzureADTrustedCertificateAuthorities command.

  2. Configure your federation server to send the serial number and issuer claims: For Azure AD to validate certificates and perform revocation in the federated environment, information about the user certificate used for authentication must be present in the token returned from the federation server. The following claims need to be present in the token for Azure AD to perform revocation:
    1. http://schemas.microsoft.com/ws/2008/06/identity/claims/<serial number>

      (The serial number of the client certificate)

    2. http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>

      (The string for the issuer of the client certificate)

Validation

To test certificate based authentication withss an Office application, follow the steps below:

  1. On your test device, install the OneDrive app from the App Store or Google Play Store.
  2. Verify that the user certificate has been provisioned to the test device. iOS and Android have facilities for viewing installed certs in their respective settings apps.
  3. Verify the Azure Authenticator app is installed on the test device if it is an iOS device. This step is not required on Android.
  4. Launch OneDrive.
  5. Enter your user name, and then pick the user certificate you want to use to sign in.

You should be successfully signed in!

Want to test certificate based authentication with Exchange ActiveSync clients? Follow the steps here.

And as always, we’d love to get any feedback suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division