Enable the CBA Authentication Method in Entra ID

1. Sign into the Entra ID as a Global administrator.

2. Select Entra ID from the left menu.

3. Select Security > Authentication methods.

4. Select Certificate-based authentication.

5. Set ENABLE to Yes.

6. Optionally, set TARGET to an Entra ID group by clicking Select users > Add users and groups.

Tip

If you created a group called Axiad Cloud Users during the SAML setup, then you can use that group for this step.

7. Click the Configure tab.

8. Set Protection Level to Multi-factor authentication.

   1. This setting allows CBA authentications to fulfill multi-factor authentication (MFA) requirements, such as a conditional access policy that requires the user to MFA during authentication.

IMPORTANT

If you leave this setting set to Single-factor authentication, then users cannot sign into Entra ID if there is a requirement for MFA. Currently, Entra ID does not support using CBA authentication with any additional MFA methods.

9. Optionally, set the Username binding settings to meet your specific use case.

Tip

You can use the Username binding settings to customize how certificates are mapped to users.

Example
You can map a certificate's SubjectKeyIdentifier or SHA1PublicKey to a user's certificateUserIds attribute, which is similar to how the altSecurityIdentities attribute works with on-prem Active Directory.

10. Click Save.

11. CBA authentication is now enabled in your Entra ID environment.

WARNING

• The first CBA login to Entra ID (Office 365) may fail as it can take up to 30 minutes for Microsoft to download the CRLs.

• Microsoft does not attempt to download the CRLs until the first CBA authentication, so you must attempt a CBA authentication to Entra ID from a web browser. If it fails, then wait approximately 30 minutes and try again.

• If you see errors after the second attempt, then contact Axiad support.