This is a ”quick & dirty” way to enable essential testing of Azure AD CBA in test environments. Do not use this method in production environments, this is only for security testing of the feature, and relies on self-signed certificates that are not published via CRL.
Pre-requisites
- The user configuring the service needs to have both Azure AD Roles: GA and Authentication Policy Administrator
- Create single group which is assigned to authentication methods, ensure the user in the group is referenced in ’openSSL.conf’ as per under altNames in the example, for the CSR.
This will create cert that looks like this:
- Create config file as per ’openSSL.conf’
- Run the scripts below in part setup.sh
- Below is example picture:
Setup (scripts below)
- Upload the root certificate
rootCA.certo Azure AD
- Please note that we select to leave the CRL settings empty, this will result in revokations not being checked as per following documentation ”If the trusted CA doesn’t have a CRL configured, Azure AD won’t perform any CRL checking, revocation of user certificates won’t work, and authentication won’t be blocked.”
Attach this user to authentication methods via the configured group
- Configure CBA for single and or multi-factor auth
Setup in bash or bash cloud shell
Had to consult google and chatGPT to do this quickly enough (without proper PKI setup)
openSSL.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = shantic@thx.dewi.red
[ usr_cert ]
subjectAltName = @alt_names
[ alt_names ]
otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:shantic@thx.dewi.red
setup.sh
# Configuration file path
CONFIG_FILE="openSSL.conf"
# Step 1: Generate a private key for the root certificate
openssl genpkey -algorithm RSA -out rootCA.key -pkeyopt rsa_keygen_bits:2048
# Step 2: Create the root certificate with Santa Claus's DN info
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/C=FI/ST=Dewi2Lapland/L=Rovaniemi/O=Santa Claus CTO Office/OU=Gift Production/CN=santaclausDewi2"
# Convert the root certificate to DER format
openssl x509 -outform der -in rootCA.pem -out rootCA.cer
# Step 3: Generate a private key for the user
openssl genpkey -algorithm RSA -out userkey.pem -pkeyopt rsa_keygen_bits:2048
# Step 4: Create a certificate signing request (CSR) for the user using the configuration file
openssl req -new -key userkey.pem -out usercsr.pem -config ${CONFIG_FILE}
# Step 5: Sign the CSR with the root certificate, creating the client certificate
openssl x509 -req -in usercsr.pem -CA=rootCA.pem -CAkey=rootCA.key -CAcreateserial -out usercert.pem -days 365 -extfile ${CONFIG_FILE} -extensions usr_cert
# Convert the user certificate to DER format
openssl x509 -outform der -in usercert.pem -out usercert.cer
# Step 6: Export the user certificate and private key to a PKCS#12 (.pfx) file
openssl pkcs12 -export -out usercert.pfx -inkey userkey.pem -in usercert.pem
Confirm the test
- The cert is typically prompted, but I had some scenarios where it was automatically selected, in these scenarios it is worth checking that there are no previously signed-in sessions etc.
- You can confirm also the sign-in logs to display the X.509 certificate as sign-in method
Troubleshooting
After enabling the setting, you might have delay of 30-60 mins before the authentication method works. Also bare in mind, that you need ensure you’re authentication strenghts align with CBA if you have configured that setting in CA.
Also you might see a situation where CBA is not accepted for MFA, this might be due to some delay or conflict of CA policies.
- If still having trouble (and you suspect it is not the delay) While not making much sense, you can re-enforce the setting for single and multifactor auth without actually changing the settings. Re-enforcing will still refresh the setting against graph, by selecting any of the settings in gui and choosing ’save’
If you plan to use the cert in IOS, copy the user cert in password protected PFX to the ioDrive. Dont install the rootCA profile, so to ensure that cert will not be trusted for any other purposes
SecureCloudBlog 
can you do a Step-by-Step YouTube video on this ????
Please & Thanks.
TykkääTykkää
Sorry for let reply. I will put this to my to-do list but can commit to any specific time. Will update as soon as I do something. Not sure it will be high quality, but I am may narrate an setup and do some quick editing with clipchamp
TykkääTykkää
Hello,
This article was so helpful! Thank you so much. You mention that this method should not be used in production environments, could you elaborate on that?
TykkääLiked by 1 henkilö
You are welcome !
To elaborate on why this method might not be suitable for production: while the runtime security of Certificate-Based Authentication (CBA) is solid, the test in this blog solution lacks several key elements required for a production-ready environment.
The solution lacks managed Certificate Revocation List (CRL). Without a CRL, there’s no automated mechanism to revoke certificates, which is crucial for maintaining security over time. While you could technically run the script on a management server and manually publish a CRL, this approach would still lack the automation, governance, and monitoring provided by a full-fledged PKI solution.
Additionally, while compliance and governance might not directly impact runtime security, there are aspects like logging and full auditing, and some agreed processes on key renewals that would not be necessary covered by this script.
For a production environment, it might best to use a managed PKI.
TykkääTykkää