Configuring Microsoft Entra certificate-based authentication

Recently I’ve become frustrated with my YubiKey, in that it’s never within reach when I’ve needed to authenticate. Equally, I’m trying to use my Phone less, and that too involves it being out of reach, which means Authenticator Codes/Passkeys aren’t really suitable all the time. My end goal is M365 Passkeys via Bitwarden, but again, Microsoft don’t currently support this route… so, today, whilst I had a bit of time, I explored the feasibility of Certificate Based Authentication (CBA).

This involves us creating a container within Azure to store our “Root CA” cert, and then issuing a User cert for authenticating against the “Root CA” cert. This article shows how I set about doing so. It’s worth noting, in my environment, there’s just me… and no hosted CA etc, so this article won’t be 1:1 for enterprise environments, however, the theory is there.

It’s worth noting, that at the time of writing this, the functionality is in Preview.

Prerequisites

The first thing we need to do, is enable Certificate-based authentication. This is done within the Entra admin console, and then within Protection and then under Authentication Methods.

Within Authentication methods, click on Certificate-based authentication, and Enable CBA, and select who to target.

Within the Configure “tab”, ensure the Protection Level within Authentication Binding is set to Multi-factor authentication.

There’s a few more security related aspects in here that you can use to further restrict authentication, but as this is purely for my own sanity, this is not covered within this guide. The configuration settings are self-explanatory, and if you do require the additional restrictive configurations, the MS Documentation is perfectly adequate for assisting.

Create a PKI Container

Login to the Entra admin console and browse to Protection > Show more > Security Center > Public Key Infrastructure within the left menu.

Click “Create PKI” and give the container a name.

Click create.

Add a Certificate Authority to the container

Launch an elevated PowerShell window.

Review the following code, and if pasting, be sure to update the -Subject name, as it currently reads CN=Vini-RootCA. The code supplied will generate your “Root CA” certificate. Do not close the PowerShell window as we’ll use it a couple of times.

$CertCreation = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=Vini-RootCA" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsageProperty Sign -KeyUsage CertSign

The command above creates a Root Certificate called “Vini-RootCA” in the Local Computer Certificate Store of your machine.

From the same PowerShell window, type certlm.msc, this will open the Certificate Manager.

Expand the Personal/Certificates folder.

Right click on your newly created Certificate and select All Tasks > Export. Click Next on the first page.

Select “No, do not export the private key” on the second page.

Leave the encoding as DER encoded binary X.509 (.CER)

Supply your export path and filename.

Now go back to the PKI Container we created earlier and click “+ Add Certificate Authority“.

Select the newly exported .CER file, and specific that the CA is the root. Leave the other options as they are. (Again, if in an enterprise environment, you may need to provide CRL information, Hints etc – you will know if you need/want to do this.)

After your Cert is uploaded, you should see similar to this;

That is effectively the “lock” in place, now we need a key to open the lock.

Create your User Authentication certificate

Return to your elevated and open PowerShell window. Use the following code – be sure to amend the Subject and UPN hidden within to reflect your certificate name and authenticating user(s).

New-SelfSignedCertificate -Type Custom -Subject "Vini-UserAuth" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=itsjames@domain.com","2.5.29.32={text}OID=1.2.3.4.5&OID=1.2.3.4") -KeyUsage DigitalSignature -KeyAlgorithm ECDSA_nistP256 -CurveExport CurveName -CertStoreLocation "Cert:\CurrentUser\My" -Signer $CertCreation -KeyExportPolicy Exportable

This command creates a user authentication certificate called “Vini-UserAuth” located within the Personal Certificate Store of your computer. This is the “key” for the “lock” we have installed.

At this point, you can attempt to authenticate with Microsoft using the newly created certificate. Simply browse to a Microsoft site that would ask for your identity. Supply the user credentials of the user(s) you’ve issued a cert to and choose the “Select a Certificate for authentication” option. If you have other MFA tokens/options created, you may need to cancel and/or select “Other authentication methods” to see the Certificate option. Using InPrivate browsing mode isn’t a bad idea for testing, as you’ll be forced to authenticate.

In my example below, I have a few certs. Ensure you select the cert (or, key!) you just created.

Exporting your User Authentication certificate

You may wish to copy your certificate to other devices, say your Phone.

You can achieve this by launching certmgr.msc (from an elevated PowerShell session) and then expand the Personal/Certificates folder.

Right click on your newly created User Authentication Certificate and select All Tasks > Export. Click Next on the first page.

Select “Yes, export the private key” on the second page.

Set the export file format to Personal Information Exchange – PKCS #12 (.PFX) if it is not defined by default.

Check “Export all extended properties“. Click next.

Enter a Password and confirm it. Click next.

Supply your export path and filename.

Now you have the PFX exported, send this device to yourself. I simply emailed it to myself and installed it by pressing on it when the certificate arrived in my email. I then followed the instruction on my iPhone and attempted to authenticate with another Microsoft site.

This might have been a waste of time, but it didn’t take long and I learnt something in doing this. Hopefully you will to.

James avatar

Leave a Reply

Your email address will not be published. Required fields are marked *