-
Notifications
You must be signed in to change notification settings - Fork 908
Expand file tree
/
Copy pathcertificate-based-authentication-faq.yml
More file actions
140 lines (112 loc) · 8.96 KB
/
certificate-based-authentication-faq.yml
File metadata and controls
140 lines (112 loc) · 8.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
### YamlMime:FAQ
metadata:
title: Microsoft Entra CBA FAQ
description: Frequently asked questions and answers for Microsoft Entra certificate-based authentication (CBA).
ms.custom: no-azure-ad-ps-ref
- sfi-image-nochange
ms.topic: faq
ms.date: 03/04/2025
ms.reviewer: vimrang
title: Frequently asked questions about Microsoft Entra certificate-based authentication
summary: |
This article addresses frequently asked questions about how Microsoft Entra certificate-based authentication (CBA) works.
Check back for updated content.
sections:
- name: General
questions:
- question: |
Why don't I see an option to sign in to Microsoft Entra ID by using certificates after I enter my username?
answer: |
An administrator must turn on CBA for the tenant to make the option to sign in by using a certificate available to users. For more information, see [Step 3: Configure the authentication binding policy](how-to-certificate-based-authentication.md#step-3-configure-an-authentication-binding-policy).
- question: |
Where can I get more diagnostic information after a user sign-in fails?
answer: |
On the error page, select **More Details** for more information to help your tenant admin. The tenant admin can check the sign-in logs to investigate the error. For example, if a user certificate is revoked and is on the certification revocation list (CRL), authentication fails as intended.
- question: |
How do we turn on Microsoft Entra CBA?
answer: |
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with at least the [Authentication Policy Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator) role assigned.
1. Go to **Entra ID** > **Authentication methods** > **Policies**.
1. Select the **Certificate-based authentication** policy.
1. On the **Enable and Target** tab, select **Enable**.
- question: |
Is Microsoft Entra CBA a free feature?
answer: |
Microsoft Entra CBA is a free feature.
Every edition of Microsoft Entra ID includes Microsoft Entra CBA.
For more information about features in each Microsoft Entra edition, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
- question: |
Does Microsoft Entra CBA support an alternate ID as the username instead of userPrincipalName?
answer: |
No. Currently, sign-in by using a non-UPN value, such as an alternate email, isn't supported.
- question: |
Can I have more than one CRL distribution point for a certificate authority?
answer: |
No, only one CRL distribution point (CDP) is supported per certificate authority (CA).
- question: |
Can I use a non-HTTP URL for a CDP?
answer: |
No. CDP supports only HTTP URLs.
- question: |
How do I find the CRL for a CA, or how do I troubleshoot the error "AADSTS2205015: The Certificate Revocation List (CRL) failed signature validation"?
answer: |
Download the CRL and compare the CA certificate and the CRL information to validate that the `crlDistributionPoint` value is valid for the CA you want to add. You can configure the CRL to the corresponding CA by matching the CA's issuer subject key identifier (SKI) to the authority key identifier (AKI) of the CRL (CA Issuer SKI == CRL AKI).
The following table and figure show how to map information from the CA certificate to the attributes of the downloaded CRL.
| CA certificate info |= |Downloaded CRL info|
|----|:-:|----|
|Subject |=|Issuer |
|Subject Key Identifier (SKI) |=|Authority Key Identifier (KeyID) |
:::image type="content" border="false" source="./media/how-to-certificate-based-authentication/certificate-crl-compare.png" alt-text="Screenshot that compares CA certificate fields with CRL information.":::
- question: |
How do I validate the CA configuration?
answer: |
It's important to ensure that the Certificate Authority configuration in the trust store results in Microsoft Entra's ability to both validate the certificate authority trust chain. Additionally, it should successfully acquire the certificate
revocation list (CRL) from the configured certificate authority CRL distribution point (CDP). To assist with this task, it's recommended to install the
[MSIdentity Tools](https://aka.ms/msid) PowerShell module and run [Test-MsIdCBATrustStoreConfiguration](https://github.com/AzureAD/MSIdentityTools/wiki/Test-MsIdCBATrustStoreConfiguration).
This PowerShell cmdlet will review the Microsoft Entra tenant certificate authority configuration and surface errors/warnings for common mis-configuration issues.
- question: |
Do changes to the authentication methods policy take effect immediately?
answer: |
The policy is cached. After a policy update, it might take up to an hour for the changes to take effect.
- question: |
Why do I see the CBA option after it fails?
answer: |
The authentication method policy always shows all available authentication methods to the user so that they can retry sign-in by using any method they prefer.
Microsoft Entra ID doesn't hide available methods based on the success or failure of a sign-in.
- question: |
Why does CBA loop after it fails?
answer: |
The browser caches the certificate after the certificate picker appears. If the user retries authentication, the cached certificate is automatically used. The user should close the browser, and then reopen a new session to try CBA again.
- question: |
Why doesn't identity proof to register other authentication methods appear as an option when I use single-factor certificates?
answer: |
A user is considered capable of multifactor authentication (MFA) when the user is in scope for CBA in the authentication methods policy. This policy requirement means that a user can't use identity proof as part of their authentication to register other available methods.
- question: |
How can I use single-factor certificates to complete MFA?
answer: |
We support single-factor CBA to get MFA. CBA single-factor with passwordless phone sign-in and CBA single-factor with FIDO2 are the two supported combinations to get MFA by using single-factor certificates.
For more information, see [MFA with single-factor certificates](~/identity/authentication/concept-certificate-based-authentication-technical-deep-dive.md#mfa-authentication-flow-by-using-single-factor-certificates-and-passwordless-sign-in).
- question: |
The certificateUserIds update fails because it's an existing value. How can an admin query all the user objects that have the same value?
answer: |
Tenant admins can run Microsoft Graph queries to find all the users that have a specific `certificateUserIds` value. For more information, see [`certificateUserIds` Graph queries](concept-certificate-based-authentication-certificateuserids.md#update-certificateuserids-using-microsoft-graph-queries).
For example, this command returns all user objects that have the value `[email protected]` in `certificateUserIds`:
```http
GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds/any(x:x eq '[email protected]')
```
- question: |
Can Microsoft Entra CBA be used on Microsoft Surface Hub?
answer: |
Yes. CBA works out-of-the-box for most combinations of smart card and smart card reader.
If the combination smart card and smart card reader requires other drivers, you must install the drivers before you can use the combination smart card and smart card reader on Surface Hub.
additionalContent: |
## Related content
If your question isn't answered here, see the following related articles:
* [Overview of Microsoft Entra CBA](concept-certificate-based-authentication.md)
* [Microsoft Entra CBA technical concepts](concept-certificate-based-authentication-technical-deep-dive.md)
* [Microsoft Entra CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
* [Microsoft Entra CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
* [Set up Microsoft Entra CBA](how-to-certificate-based-authentication.md)
* [Windows smart card sign-in by using Microsoft Entra CBA](concept-certificate-based-authentication-smartcard.md)
* [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
* [Migrate federated users](concept-certificate-based-authentication-migration.md)