Azure AD Certificated Based Authentication Deep-Dive
Вставка
- Опубліковано 2 бер 2023
- Azure AD Certificated Based Authentication Deep-Dive
This session will teach you how to set up certificate-based authentication in your Azure AD tenant. You will learn the following:
00:37 How CBA works and why it is phishing resistant
09:15 How to create and store certificates
24:45 How to enable Azure AD to trust our certificates
27:40 How to configure the certificate user mapping and authentication strength
SUBSCRIBE and KEEP LEARNING
Please add comments, and let's build a community of Identity Geeks together
Join me for an intense 5-day masterclass on Azure AD Identity
learn.xtseminars.co.uk - Наука та технологія
I like anyone who goes back and edits in missing information afterwards (e.g. 'along with their public key' comment at 2:50). That shows thorough attention to detail and an awareness of the perspective of learners. Thanks very much.
Thank for the comments Eric! I always try and make the videos as clear as possible - so it's great to hear when I have succeeded.
The way you explain things makes life around Azure so much easier !
Thank you! Your comment is much appreciated
This was just ... well ... fantastic! Thanks a lot, I learnt a lot from this.
Thank for letting me know - I am glad you found it useful
Probably the best videos on Azure right now, even more clearly explained than Microsofts own articles available on the web, thank you Sir for your valuable time and effort in making all this great technical contents, hope to see a lot lot more in the near future
Thanks Supriyo, Comments like yours make it all worthwhile!
I couldn't agree more with this sentiment! John should just be the default auth explainer on all Microsoft technical docs!
@@steveng.42 Many thanks for your comment Steve, much appreciated!
@@john_craddocknice video John. I have just one question if we have Root ca, intermidiate ca and issuing ca, the do we need to upload all of those three certificates?
With the SKI the smartcards could be anonymous and even pre-issued, that’s quite neat in addition to the high affinity. Is there an drawback if you don’t have attributes (for this specific Entra ID Login case)
excellent video, thanks for this
Thanks Damien for letting me know!
When using windows Keystore, it should use the cryptong rsa provider, as it uses credential isolation. And potential even tpm, but I am not sure how to enforce this.
Awesome session John 🎉
Thanks Andy - Along way to go before I join the ranks of a UA-cam master like you!
@@john_craddock you’ll get there my friend 👍😊
Hi John, thanks for video! Appreciate you taking the time to make and share this content. Can you tell me what the app is you are using to dump the token claims and test various login experiences? It’s at 5:57 (OpenID Connect & OAuth 2.0 demo). I would like to use this to do some of my own setup and testing but can’t find it.
Hi @holodray2269, thanks for the feedback. The app is something I put together for my identity masterclass. I don't make it freely available. However if you join the class you get a copy of it an more! learn.xtseminars.co.uk
Thanks John, As per your commitment in one of the videos to make one video per week but I didn't see many uploaded recently. Can you please clarify when you gonna upload videos on other Authentication and Authorization methods. Thank you 😊
Hi Abdul, That was an ambitious commitment and now I'm embarrassed! Unfortunately I got completely committed to a customer project. However, I am now trying to get back on-track with the videos. I already have a video on authentication methods ua-cam.com/video/lajeFoCr2KM/v-deo.html. What content are you looking for?
Thanks John for replying on my message. I want to have some series on Application Registration and Enterprise Application.
@@abdulmananclasses.7793 It's on my list, Hopefully in the next couple of months!
Hi John, thank you so much for you video. Can you explain how to create the other certificate templates, like CBAUserSetName and others, I'm a little confused in that step. Thank you so much.
Sorry for the late reply. Please give me time on the video that you are asking about
Very informative
Glad it was helpful!
Thanks for the awesome content as usual. Why can't we use CBA as second factor option like Auth app or U2F fido2 keys? I see CBA listed as MFA option once CBA is enabled but it fails when used. Is it by design or it is due to other issues with certificate. if by design, then MS should not show CBA as MFA option.
Hi @anuj_rana, thanks for the feedback. CBA can be used as a sign in for 1st Factor or 1 & 2 factor combined. So a cert tagged with the appropriate OID is considered strong auth. I think the assumption is that if the org is issuing strong auth certs then the admins have taken the appropriate steps to make sure that those certs are only issued to devices that secure them with a second factor (biometric or pin). I hope that helps!
up to last 5 minutes is correct, MFA is rather misleading, bindings to SKI or OIDs within CBA are still single factored,
Hi Mihran, It is the organization that is designating that a particular certificate type (correct OID) can be treated as multifactor. For this to be true multifactor, the org will need to make sure that those certificate type are only issued to certificate storage (smartcard or similar) that require a PIN or biometric. I am sorry if that wasn't clear - Many thanks for your feedback
Would like to see video how this type of authentication can be used for automation tasks (service principals)
Hi Gregory, With a workload identity, the preferred way of setting it up is to use a signed JWT assertion and this uses an X509 cert for signing and validation. Workload identities are something I will be covering in the future. My list is getting longer!
What if you have users in an Azure Only environment without any server?
You will require a PKI to issue your certificates
Awesome video sir. How to enroll certificate to yubikey and use it for authentication.?
Thanks @Sathish. I'm glad you enjoyed it!
This is completely irrelevant for modern cloud based Microsoft 365 Entra
I am not quite sure why you say that. I agree if you don't want to use CBA, then it may not be relevant to you, but it is certainly not irrelevant to everyone.
On-prem is going away.
@@john_craddock