Office365/Azure AD Cert Based Auth with ADFS (Federated)

Microsoft have now released (14th December 2016) certificate based authentication into Office365 and AzureAD

Office365 Cert based auth config
STEP 1
CBA for iOS and Android

STEP 2
Get started with certificate-based authentication in Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-get-startedhttp://managenet.us5.list-manage.com/track/click?u=01848a667adc12e2f10d4af6a&id=9e10e5595a&e=843249ef38

STEP 3
Enable Exchange Online for modern authentication

Skype for Business Online: Enable your tenant for modern authentication

STEP 4
Configure new Exchange ActiveSync config in MobileIron Core Server and point Server Address to outlook.office365.com and get certificate from internal Microsoft or Core CA Server

For Exchange ActiveSync clients, the client certificate must have the user’s routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.

Using Office 365 modern authentication with Office clients

How modern authentication works for Office 2013 and Office 2016 client apps

Office 2013 and Office 365 ProPlus modern authentication and client access filtering policies : Things to know before onboarding

FAQ
Q: If we configure cert based auth in Azure AD will it still accept basic auth?
A: Yes, it still can accept Basic auth, and EAS clients as well

Q: Cert based auth for Office365 apps (OneDrive etc) says to enter username and then select a certificate to use, does this option only present once the Azure AD & ADFS configurations are in place for Office365?
A: Yes. Federation services is a requirement. Also, CBA requires Modern Auth, which requires ADFS (or an STS).

Q: Can Office365 apps use the same x509 identity certificate on the iOS/Android OS that is installed via the MDM solution or does the certificate have to be pushed out tied to the specific Office365 app?
A: Microsoft Engineer needs to double check with an Office SME (Update to be provided)

3 Likes

Just a note on iOS certificates pushed by MDM are a part of Apple Keychain Access group and can only be accessed by Apple applications (i.e. Mail, Safari, etc)

For 3rd party apps to access client certs the certificates have to be imported into the Application Keychain Access group by the application itself.

More info here:

Q: If we configure cert based auth in Azure AD will it still accept basic auth?
A: Yes, it still can accept Basic auth, and EAS clients as well

Wondering if anybody has tried excluding BASIC auth after getting CBA working? A common on-prem scenario is to use CBA to ensure only managed devices can sync mail, so wondering if CBA to Office365 can be used to achieve something similar? From the reading I’ve done it looks like it might be a runner, but it’s not clear so would love somebody to have tried it and say yay/nay.

Is anybody else trying to configure Windows 10 Mobile and Exchange online using the default email app?
Is there an option that can force the device to authenticate with a certificate and not redirect the user to the ADFS page (example attached) where he can enter username+pass or choos a cert?
Thanks!