Microsoft Entra Certificate-Based Authentication Gets New Issuer Hints Feature to Simplify Certificate Selection

Key Takeaways:

• Microsoft has introduced an issuer hints feature in public preview for Entra ID, simplifying the selection of the appropriate certificate for authentication.
• Microsoft Entra CBA now supports additional username bindings, including IssuerAndSerialNumber, IssuerAndSubject, and Subject.
• Microsoft Entra CBA now offers advanced options within Conditional Access.

Microsoft has released a new issuer hints feature in public preview for Entra certificate-based authentication (CBA). Additionally, several other capabilities, including username bindings and advanced Conditional Access options, have reached general availability, offering users greater flexibility and control over their authentication processes.

What is Microsoft Entra certificate-based authentication (CBA)?

Microsoft Entra certificate-based authentication is a security feature that allows customers to authenticate to Entra ID (formerly Azure AD) using certificates. It integrates seamlessly with Entra ID and provides secure access to Microsoft 365, Azure, and other applications that rely on Entra ID for authentication.
CBA lets users authenticate using smart cards, virtual smart cards, and other certificate-based devices.

This feature is particularly useful in environments where a high level of security is required, including financial institutions, government agencies, and other regulated industries.

How does the issuer hints feature work?

Microsoft has released a new issuer hints feature that makes it easier for Entra ID customers to select the appropriate certificate for authentication. As part of the TLS (Transport Layer Security) handshake, Microsoft Entra ID sends back a Trusted CA Indication, which ensures that the chosen certificate is from a trusted source.

“The trusted Certificate Authority (CA) list will be set to subject of the Certificate Authorities (CAs) uploaded by the tenant in the Entra trust store. The client or native application client will use the hints sent back by server to filter the certificates shown in certificate picker and will show only the client authentication certificates issued by the CAs in the trust store,” Microsoft explained.

Microsoft Entra CBA adds new username bindings

In addition to the issuer hints feature, Microsoft Entra CBA has been updated to match the username bindings supported by the on-premises Active Directory. Username binding in certificate-based authentication (CBA) refers to how a user’s identity is linked to the X.509 certificate during the authentication process.

Microsoft Entra CBA now supports three additional bindings: IssuerAndSerialNumber, IssuerAndSubject, and Subject. The IssuerAndSerialNumber binding links the user to the certificate’s issuer (CA) and its serial number. The IssuerAndSubject binding combines information from both the issuer and subject of the certificate. The Subject binding uses the subject information, such as the email address, from the certificate for user identification.

The CBA Affinity Binding feature allows organizations to set affinity bindings at the tenant level. This capability enables IT admins to apply consistent rules to determine which certificates are associated with which end users. Additionally, they can create custom rules to define high-affinity or low-affinity mappings.

Lastly, the CBA Authentication policy rules feature allows administrators to define whether authentication is single-factor or multifactor. Custom rules can also be created to assign default protection levels for certificates. Furthermore, Microsoft Entra now offers advanced certificate-based authentication (CBA) options within Conditional Access, allowing tailored access based on certificate issuers or Policy Object Identifiers (OIDs).