Support for user certificate authentification in Azure AD

Question

I'am searching for public/private key-based authentication for users with Azure-ActiveDirectory but can't find any hints in Azure AD Authentification Scenarios . Every user should bring his own key pair. Any suggestions how to achieve it?

Answer 1

Azure AD supports OAuth 2.0 to authorize the third-party apps and the OAuth 2.0 support to acquire the token using the app's client credential.

There are two ways to acquire the token for the client credential flow. First is that using the keys which generated by the Azure portal like figure below:

And here is a figure about token request using the key(client_secret):

Another way is using the cert. Technical speaking, the cert is a pair of public/private key. We will store the information of public key with the app. When we require to prove we are the owner of the third-party apps, we need to sign the message with the private key and Azure AD with verify the messages with public key.

To store the cert information with apps, we need to change the manifest of app. Here is the detail steps to use a self-signed certificate from here :

1.Generate a self-signed certificate:

makecert -r -pe -n "CN=MyCompanyName MyAppName Cert" -b 03/15/2015 -e 03/15/2017 -ss my -len 2048

2.Open the Certificates MMC snap-in and connect to your user account.

3.Find the new certificate in the Personal folder and export the public key to a base64-encoded file (for example, mycompanyname.cer). Your application will use this certificate to communicate with AAD, so make sure you retain access to the private key as well.

Note You can use Windows PowerShell to extract the thumbprint and base64-encoded public key. Other platforms provide similar tools to retrieve properties of certificates.

4.From the Windows PowerShell prompt, type and run the following:

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 

$cer.Import("mycer.cer") 
$bin = $cer.GetRawCertData() 
$base64Value = [System.Convert]::ToBase64String($bin) 
$bin = $cer.GetCertHash() 
$base64Thumbprint = [System.Convert]::ToBase64String($bin) 
$keyid = [System.Guid]::NewGuid().ToString()

5.Store the values for $base64Thumbprint, $base64Value and $keyid, to be used when you update your application manifest in the next set of steps. Using the values extracted from the certificate and the generated key ID, you must now update your application manifest in Azure AD.

6.In the Azure Management Portal, select your application and choose Configure in the top menu.

7.In the command bar, click Manage manifest and select Download Manifest.

8.Open the downloaded manifest for editing and replace the empty KeyCredentials property with the following JSON:

"keyCredentials": [
  {
    "customKeyIdentifier": "$base64Thumbprint_from_above",
    "keyId": "$keyid_from_above",
    "type": "AsymmetricX509Cert",
    "usage": "Verify",
    "value": "$base64Value_from_above"
  }
],

9.Save your changes and upload the updated manifest by clicking Manage manifest in the command bar, selectingUpload manifest, browsing to your updated manifest file, and then selecting it.

And below is the figure about token request using the cert:

In the article above, it generate the client_assertion from scratch. We can also use the ADAL library to help us and authenticate for a daemon apps:

string authority = $"https://login.microsoftonline.com/{tenant}";

var thumbprint="";
X509Store store = new X509Store("MY", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, thumbprint, false);
X509Certificate2 cert = fcollection[0];

var certCred = new ClientAssertionCertificate(clientId, cert);
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
AuthenticationResult result = null;
try
{
    result = await authContext.AcquireTokenAsync(resource, certCred);
}
catch (Exception ex)
{
}

return result.AccessToken;

And if you want to use the cert to authorize for the OAuth2.0 code grant flow, you also can refer the code sample here .

Answer 2

If you're looking for a programmatic method to authenticate users (not apps) in Azure AD using certificates, this is not currently possible.

It is possible to do certificate-based authentication in AD FS ( eg ), and it is possible to federate authentication for users from Azure AD to AD FS . However, this requires the overhead of Windows Server AD, Azure AD Connect and AD FS, and I don't think the federated authentication can be achieved in a programmatic way (ie without prompting the user to choose a certificate).