Conditional Access using Azure Active Directory CBA

The Azure Active Directory can now be utilised to provide conditional access to Office 365 apps by leveraging Certificate Based Authentication(CBA). This will further enhance security, avoid cyber threats like Phishing and adopt a pass-wordless authentication protocol.

How does it work?

Only devices that are compliant and actively managed in MDM can be configured with conditional access using certificates for Office 365 apps. By compliant we mean the devices which follow the policies and restrictions applied to it by the organisation it belongs to. First the certificate based authentication should be configured in the Entra ID(formerly Azure AD) portal. When a managed device tries to access any Office 365 apps like Microsoft word, it will use the client certificate pushed by the MDM for authentication.

Pre-requisites

1. You should have a PKI infrastructure like ADCS (with NDES role) or any 3rd party PKI for distributing and managing client certificates.
2. Only the Administrator in Azure can configure Certificate Based Authentication.

Steps

In order to configure O365 apps for conditional access the following steps need to be followed:

1. Configure Certificate-Based Authentication in Azure portal:

First the administrator has to configure certificate based authentication in Azure portal by following the steps in this link .

Note:

If you are using ADCS, then you can export the root CA certificate from the certificate authority management console, and upload it in the Entra ID(formerly Azure AD) Portal by navigating to Security > Certificate Authorities.

2. Adding Certificate Authorithy (CA)Template & SCEP profile in MDM:

Once you have setup certificate-based authentication in Azure, the CA server and SCEP template should be added in the MDM portal by following the steps described in this document :

Note:

The User Principal Name(UPN) of the user should be added in the certifcate's Subject or Subject Alternative Name fields .

3. Distribute SCEP profile to devices:

Lastly for distributing the SCEP profile, follow the steps given below :

• Navigate to Device Mgmt > Groups & Devices.
• Select the necessary group(s) with which the profile should be associated > Actions > Associate Profile > Select the Profile> click Associate

Note:

It is recommended to distribute the profile to a device for testing before distributing it to your production environment. Once testing is complete, you can distribute the profile to your production environment using Groups .

After completing the above steps, when the user tries to login into any of the Microsoft 365 apps like Microsoft Teams, Microsoft Outlook etc, they'll be asked to select the certificate instead of password as shown in the figures:

Points To Note

1. Once unmanaged, the device(s) stops getting access to Office 365 apps, except for iOS, Windows and Mac devices which will continue to get access, at least for 1 hour until the current session gets expired.