Microsoft Entra ID Gets Advanced Customization Options for Certificate-Based Authentication

Last Update: Nov 19, 2024 | Published: Jan 31, 2024

Windows Logo

SHARE ARTICLE

Key Takeaways:

  • Microsoft’s Entra ID Conditional Access service now offers advanced controls over certificate-based authentication methods.
  • The authentication strength feature allows IT administrators to specify MFA methods for accessing network resources.
  • Microsoft says that administrators can customize authentication strengths based on properties like Policy OID or issuer.

Microsoft has released a new update for its Entra ID Conditional Access service that provides more granular controls over certificate-based authentication (CBA) methods. The advanced CBA options are currently in preview, allowing access to specific resources based on certificate Issuer or Policy Object Identifiers (OIDs) properties.

Microsoft Entra ID Conditional Access is a service that lets administrators control access to corporate resources based on specific conditions. They can enforce Conditional Access policies with requirements (such as multifactor authentication (MFA)) to access websites and services.

In October 2022, Microsoft introduced the authentication strength feature for its Entra ID Conditional Access service. This feature allows IT administrators to specify the combination of multifactor authentication (MFA) methods that can be used to access network resources. They can choose from various options such as certificate-based authentication, Windows Hello for Business, or FIDO2 methods.

Microsoft had previously announced plans to allow administrators to scope authentication methods to specific users and groups. The new granular controls fulfill this promise by providing advanced controls that can be used to customize authentication strengths with certificate-based authentication. The authentication strength feature offers greater control over the use of MFA methods based on factors such as user risk, sensitive resource access, and location.

“For instance, a company like Contoso may issue three different types of multifactor certificates via Smart Cards to employees, each distinguished by properties such as Policy OID or issuer. These certificates may correspond to different levels of security clearance, such as Confidential, Secret, or Top Secret,” Microsoft explained.

Limitations

Microsoft says that IT administrators can use the Entra admin center or Microsoft Graph to set up the new advanced options for CBA. However, it is important to note that administrators can only use one certificate per browser session. Additionally, both Certificate Authorities and user certificates must comply with the X.509 v3 standard. If you’re interested, you can find more details about the new authentication strength advanced options on this support page.

SHARE ARTICLE