Activating and Utilizing Certificate-Based Authentication with Microsoft Cloud PKI

Introduction
In the past, I have connected some on-prem PKI environments to Intune using NDES connectors and many more connectors. That was always quite a bit of work. I won't bother you about that.

When I heard that a cloud certification management solution was coming, I couldn't wait. Since Q1 2024, it will be possible to use Microsoft Cloud PKI for your certificate management.

In today's digital landscape, ensuring secure access to resources is of paramount importance. Microsoft Cloud PKI and Certificate-based authentication offer robust mechanisms for authenticating users and devices.

This blog post will guide you through the process of activating and making use of Certificate-based authentication to enhance your security posture with Microsoft Cloud PKI.

Understanding Microsoft Cloud PKI
Microsoft Cloud PKI is a cloud-based service that provides digital certificates for secure communication and authentication. These certificates function as digital identities for users, devices, and applications, enabling encrypted communications and verifying authenticity.

A few key benefits are:

• Enhanced Security: Digital certificates ensure that only authorized users and devices can access sensitive information.
• Compliance: Certificates help organizations comply with industry standards and regulatory requirements.
• Simplified Management: Cloud-based management of certificates reduces the complexity of traditional on-premises PKI systems.

Licensing requirements
Microsoft Cloud PKI requires one of the following licenses:

• Microsoft Intune Suite license
• Microsoft Cloud PKI standalone Intune add-ons license

Activating Microsoft Cloud PKI
Activating Microsoft Cloud PKI involves several steps, from setting up your cloud environment to configuring your Certificate Authority (CA).

I won't tell you the whole story of how to configure this, but instead, here is a detailed description of how to configure Cloud PKI and deploying certificates to your devices.

You need to deploy three certificates to your devices.

1. The Root CA certificate
2. The Issuing CA certificate
3. A user-based certificate with the UPN as CN

Activating Entra Certificate-based Authentication
To configure certificate authorities to enable Certificate-Based Authentication in the Entra admin center, follow the below steps to add your root and issuing CA.

1. Sign in to the Microsoft Entra admin center
2. Browse to Protection -> Show more -> Security Center -> Certificate authorities
3. Click on Create PKI and give it a name
4. Click on Create
5. Your newly created Entra PKI container will be shown in the window

1. Click on your newly created Entra PKI container
2. Click on Add certificate authority
3. To upload a CA, select Browse
4. Select the CA file.
5. Select Yes if the CA is a root certificate, otherwise select No.
6. For Certificate Revocation List URL, set the internet-facing URL for the CA base CRL that contains all revoked certificates. If the URL isn't set, authentication with revoked certificates doesn't fail.
7. You can skip the Delta Certificate Revocation List URL setting
8. Select Add

Repeat these steps to add your issuing CA to the CBA settings.

To make sure that the end-users can make use of Certificate-Based Authentication, we need to enable this option under Authentication methods.

1. Sign in to the Microsoft Entra admin center
2. Browse to Protection -> Authentication methods
3. Select Certificate-based authentication

1. Set the toggle to Enable
2. Choose for All User or a Select groups of users.

1. On the Configure blade, make sure the Require CRL validation (recommended) is checked
2. Make sure the Issuer Hints is checked as well
3. Choose for Multi-factor authentication at Protection Level
4. Click on + Add rule and add an authentication binding policy rule for the root CA as well the issuing CA
5. Click on Add

1. Read the message in the orange-ish warning box and click I Acknowledge
2. Click the Save button

And now we have to wait a few minutes so that the backend can do the work of tying everything together.

So. Having implemented the above, we can now go and see if it all actually works. Fortunately, it does.

How? We'll see in the video below.

Check Jeroen Burgerhout’s original post https://www.burgerhout.org/activating-and-utilizing-certificate-based-authentication-with-microsoft-cloud-pki/ on www.burgerhout.org which was published 2025-02-03 14:02:00