December 3, 2023

Microsoft has removed a major hindrance faced by the organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication in Azure Active Directory.

Microsoft certificate-based authentication promises to pave the way for large enterprises to migrate their on-premises Active Directory implementations to the cloud. It’s a move Microsoft is encouraging enterprises to undertake to protect their organizations from phishing attacks.


Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates using security keys from Yubico.

This authentication capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance on Improving the Nation’s Cybersecurity.

Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; continue to grow in the year 2023.

With this availability, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization’s public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.

Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. With this new implementation This removes the last major blocker for those of you who want to move all your identities to the cloud

Microsoft’s release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico’s YubiKey.


Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile.

Users must then install their personal identity verification (PIV) credential independent of the Azure solution. Administrators can deploy Microsoft’s latest Conditional Access authentication strength policies to enforce CBA. Microsoft last week released a preview of the new Conditional Access authentication strength capabilities.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: