True Passwordless Login for Machines Joined to Microsoft Entra ID

Why Passwordless Authentication

Passwordless Authentication (CBA) enables user to authenticate directly through Microsoft’s Entra ID, providing phishing-resistant authentication using passwordless methods issued from their trusted Public Key Infrastructure (PKI). Previously, federated certificate-based authentication was required, necessitating the Active Directory Federation Services (ADFS) deployment to authenticate with certificates. Direct authentication with Microsoft Entra ID ensures a phishing-resistant login that is verifiable using Conditional Access policies. Unlike ADFS, where login signals could be spoofed or the infrastructure hacked, direct passwordless authentication to Microsoft Entra ID offers tighter security.

Key benefits include:

  • CBA complies with M-19-17, which requires moving the digital identity provider to a centralized cloud-based identity management solution.
  • Direct authentication with Microsoft Entra ID eliminates reliance on a federated IdP (such as ADFS), removing a lateral movement path from Active Directory.
  • Microsoft Entra integrates with Hybrid and Microsoft Entra joined devices, offering a seamless Single Sign-On (SSO) experience using different MFA authentication during desktop and laptop Windows device logins, reducing MFA fatigue.
  • Improved and centralized sign-in information with Microsoft Entra Sign-in logs, including CBA credential details.
  • By eliminating passwords, the risk of phishing attacks and credential theft is significantly reduced. Kerberos provides strong authentication, ensuring that only authorized users can access sensitive resources.
  • Passwordless authentication simplifies the login process, reducing the need for users to remember and manage multiple passwords. This leads to a smoother, more efficient user experience.
  • The CodeB Credential Provider integrates seamlessly with Microsoft Entra ID, allowing organizations to adopt passwordless authentication without extensive modifications to their existing infrastructure.

Prerequisites

  1. A PKI environment.
  2. User certificates with UPN issued from the PKI.
  3. An internet accessible Certificate Revocation List (CRL).
  4. Entra ID joined devices.
  5. CodeB Credential Provider

Step 1. Configure the certification authorities

  1. Sign in to the Microsoft Entra admin center as a Global Administrator.
  2. Browse to Protection > Show more > Security Center (or Identity Secure Score) > Certificate Authorities.
  3. To upload a CA, select Upload.
    • Select the CA file.
    • Select Yes if the CA is a root certificate, otherwise select No.
    • For Certificate Revocation List URL, set the internet-facing URL for the CA-based CRL that contains all revoked certificates. By default in Microsoft Entra ID CBA does not require the CRL URL to be set. If the URL isn’t set/configured empty, a CRL check is not performed for certificates issued from that CA.
    • For Delta Certificate Revocation List URL, set the internet-facing URL for the CRL that contains all revoked certificates since the last base CRL was published.
    • Select Add.
  4. Continue adding certificates until all root and intermediate certificates are uploaded.

Step 2. Enable CBA on the tenant

To enable the certificate-based authentication in the Microsoft Entra admin center, complete the following steps:

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator
  2. Browse to Protection > Authentication methods > Certificate-Based Authentication and select Certificate-based authentication.

Step 3. Configure the authentication binding policy

The authentication binding policy helps determine the strength of authentication to either a single factor or multifactor. An Authentication Policy Administrator can change the default value from single factor to multifactor and configure custom policy rules by mapping to issuer Subject, policy OID or by combining Issuer Subject and Policy OID fields in the certificate.

Authentication binding rules map certificate attributes, such as Issuer, Policy OID, or Issuer and Policy OID, to a value and select default protection level for that rule. You can create multiple rules.

To enable CBA and configure user bindings in the Microsoft Entra admin center, complete the following steps:

  1. From the screen above, select Configure to set up authentication binding and username binding.

Note – Your CertficateUserIds, which determines how your user accounts are configured to determine your mapping strategy, can be found under the Authorization Info field.

Step 4. Login with your certificate to test CBA

Join your machine to Microsoft Entra ID and login with your configured user as shown in the video below. Questions? Just contact us.

Microsofts Howto: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication

Comments are closed.