You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
+33-1Lines changed: 33 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -72,9 +72,41 @@ Now we'll walk through each step:
72
72
1. Azure AD completes the sign-in process by sending a primary refresh token back to indicate successful sign-in.
73
73
1. If the user sign-in is successful, the user can access the application.
74
74
75
+
## Certificate-based authentication is MFA capable
76
+
77
+
Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to proof up to register other authentication methods when the user is in scope for CBA.
78
+
79
+
This can happen when:
80
+
81
+
If CBA enabled user only has a Single Factor (SF) certificate
82
+
To unblock user:
83
+
1. Use Password + SF certificate.
84
+
1. Issue Temporary Access Pass (TAP)
85
+
1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
86
+
87
+
If CBA enabled user but has not yet been issued a certificate
88
+
To unblock user:
89
+
1. Issue Temporary Access Pass (TAP)
90
+
1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
91
+
92
+
If CBA enabled user cannot use MF cert (such as on mobile device without smart card support)
93
+
To unblock user:
94
+
1. Issue Temporary Access Pass (TAP)
95
+
1. User Register another MFA method (when user can use MF cert)
96
+
1. Use Password + MF cert (when user can use MF cert)
97
+
1. Admin adds Phone Number to user account and allows Voice/SMS method for user
98
+
99
+
100
+
75
101
## MFA with Single-factor certificate-based authentication
76
102
77
-
Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
103
+
Azure AD CBA can be used as a second factor to meet MFA requirements with single-factor certificates. The supported combintaions are
104
+
105
+
CBA (first factor) + passwordless phone sign-in (PSI as second factor)
106
+
CBA (first factor) + FIDO2 security keys
107
+
Password (first factor) + CBA (second factor)
108
+
109
+
Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
78
110
79
111
>[!IMPORTANT]
80
112
>A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods. More info on [Azure AD MFA](../authentication/concept-mfa-howitworks.md)
0 commit comments