Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article covers supported and unsupported scenarios for Microsoft Entra certificate-based authentication.
Supported scenarios
The following scenarios are supported:
- User sign-ins to web browser-based applications on all platforms.
- User sign-ins to Office mobile apps, including Outlook, OneDrive, and so on.
- User sign-ins on mobile native browsers.
- Support for granular authentication rules for multifactor authentication by using the certificate issuer Subject and policy OIDs.
- Configuring certificate-to-user account bindings by using any of the certificate fields:
- Subject Alternate Name (SAN) PrincipalName and SAN RFC822Name
- Subject Key Identifier (SKI) and SHA1PublicKey
- Configuring certificate-to-user account bindings by using any of the user object attributes:
- User Principal Name
- onPremisesUserPrincipalName
- CertificateUserIds
Unsupported scenarios
The following scenarios aren't supported:
- Public Key Infrastructure for creating client certificates. Customers need to configure their own Public Key Infrastructure (PKI) and provision certificates to their users and devices.
- Certificate Authority hints aren't supported, so the list of certificates that appears for users in the UI isn't scoped.
- Only one CRL Distribution Point (CDP) for a trusted CA is supported.
- The CDP can be only HTTP URLs. We don't support Online Certificate Status Protocol (OCSP), or Lightweight Directory Access Protocol (LDAP) URLs.
- Configuring other certificate-to-user account bindings, such as using the subject + issuer or Issuer + Serial Number, aren’t available in this release.
- Currently, password can't be disabled when CBA is enabled and the option to sign in using a password is displayed.
Supported operating systems
| Operating system | Certificate on-device/Derived PIV | Smart cards |
|---|---|---|
| Windows | ✅ | ✅ |
| macOS | ✅ | ✅ |
| iOS | ✅ | Supported vendors only |
| Android | ✅ | Supported vendors only |
Supported browsers
| Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Microsoft Edge certificate on-device | Microsoft Edge smart card |
|---|---|---|---|---|---|---|
| Windows | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| macOS | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| iOS | ❌ | ❌ | ✅ | Supported vendors only | ❌ | ❌ |
| Android | ✅ | ❌ | N/A | N/A | ❌ | ❌ |
Note
On iOS and Android mobile, Microsoft Edge browser users can sign into Microsoft Edge to set up a profile by using the Microsoft Authentication Library (MSAL), like the Add account flow. When logged in to Microsoft Edge with a profile, CBA is supported with on-device certificates and smart cards.
Smart card providers
| Provider | Windows | macOS | iOS | Android |
|---|---|---|---|---|
| YubiKey | ✅ | ✅ | ✅ | ✅ |