Merge pull request #241910 from vimrang/patch-35

Update concept-certificate-based-authentication.md

Author: prmerger-automator[bot]

articles/active-directory/authentication/concept-certificate-based-authentication.md

@@ -72,6 +72,10 @@ The following scenarios aren't supported:
 - Configuring other certificate-to-user account bindings, such as using the **Subject**, **Subject + Issuer** or **Issuer + Serial Number**, aren’t available in this release.
 - Password as an authentication method cannot be disabled and the option to sign in using a password is displayed even with Azure AD CBA method available to the user.
 
+## Known Limitation with Windows Hello For Business certificates
+
+- While Windows Hello For Business (WHFB) can be used for multi-factor authentication in Azure AD, WHFB is not supported for fresh MFA. Customers may choose to enroll certificates for your users using the WHFB key pair.  When properly configured, these WHFB certificates can be used for multi-factor authentication in Azure AD. WHFB certificates are compatible with Azure AD certificate-based authentication (CBA) in Edge and Chrome browsers; however, at this time WHFB certificates are not compatible with Azure AD CBA in non-browser scenarios (e.g. Office 365 applications). The workaround is to use the "Sign in Windows Hello or security key" option to sign in (when available) as this option does not use certificates for authentication and avoids the issue with Azure AD CBA; however, this option may not be available in some older applications.
+
 ## Out of Scope
 
 The following scenarios are out of scope for Azure AD CBA: