Configure certificate-based access in Entra ID with Conditional Access certificates

In this topic, you will find instructions on how to enable and configure certificate-based access (CBA) in Microsoft Entra ID and use Conditional Access certificates managed by Portnox AgentP for safe and quick Entra ID authentication.

Important: This application access configuration uses certificates to make subsequent logins easier and safer, but it does not provide all of the benefits of Portnox Conditional Access. The role of AgentP in this setup is only to install/uninstall the certificate. This configuration does not use AgentP to evaluate the device for risks.

Download the tenant CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal and convert it to the DER encoded binary X.509 format that is required by Entra ID.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Trusted Root Certificates option.

  3. In the Trusted Root Certificates section, click on the Download link, then save the downloaded file.

    The default name of the file is Your_tenant_name - Portnox CLEAR.pfx, for example, Portnox - Portnox CLEAR.pfx.

  4. In Windows, right-click on the downloaded file and select Open from the context menu.

    The file will be opened in the Windows certificate manager.

  5. In the certificate manager window, open the Certificates section in the left-hand pane and then double-click on Portnox - Portnox CLEAR in the right-hand side pane.

  6. In the Certificate window, click on the Details tab and then click on the Copy to File button.

  7. In the Certificate Export Wizard, export the certificate in the DER encoded binary X.509 format.

    1. In the first step of the wizard, click on the Next button.
    2. In the second step of the wizard, select the DER encoded binary X.509 (.CER) option.
    3. In the third step of the wizard, select a file to save the exported tenant CA certificate, and click on the Next button.

      For example, save the file as tenantCertificate.cer.

    4. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.

Add the downloaded tenant certificate to Entra ID

In this step, you will access your Azure Portal and add the downloaded certificate to your Entra ID configuration as a root certificate authority.

  1. Open your Azure Portal dashboard.
  2. In the Azure Portal main menu, click on the Microsoft Entra ID option.

    You can access the main menu by clicking on the icon in the top left corner of the Azure Portal.

  3. In the left-hand side menu, scroll down to the bottom of the Manage section, and then click on the Security option.

  4. In the left-hand side menu, in the Manage section, click on the Certificate authorities option.

  5. In the Certificate authorities pane, click on the Upload button.

  6. In the Upload certificate file pane, click on the  🗀  icon and select the downloaded tenant certificate file that you converted to the DER binary X.509 format. In the Is root CA certificate section, select the Yes option, and then click on the Add button.

Result: You added the tenant certificate as a certificate authority in Entra ID.

Enable certificate-based authentication in Entra ID

In this step, you will enable the certificate-based authentication functionality in Entra ID, configure it to verify user certificates based on the added certificate authority, and enable this functionality for users.

  1. In the left-hand side menu, in the Manage section, click on the Authentication methods option.

  2. In the left-hand side menu, make sure that the Policies option is selected.

  3. In the Policies pane, click on the Certificate-based authentication link in the Method column.

  4. In the Certificate-based authentication settings pane, in the Enable and Target tab, activate the Enable switch. Then, in the section below, select the user groups that will be using certificate-based authentication, and click on the Save button.

    Warning: We recommend to initially test this functionality on a group of users before enabling it for all users. If you configure this functionality incorrectly, users may be unable to log in.
  5. In the Configure tab, in the Protection Level field, select the Multi-factor authentication option, and then click on the Add rule button below.

  6. In the Add authentication binding policy rule pane, activate the Certificate issuer checkbox, and in the Certificate issuer identifier field, select the identifier of the certificate authority that you added earlier. In the Authentication strength section, select the Multi-factor authentication option. In the Affinity binding section, select the Low option. Then, click on the Add button.

  7. In the Certificate-based authentication settings pane, click on the Save button.

Test the certificate-based authentication

In this section, you will log in to Microsoft 265 as one of the users that you configured for certificate-based authentication (CBA).

  1. Make sure that you install and run AgentP on your test machine, and that you enroll in AgentP as the user that you will attempt to authenticate as in Microsoft 365.
  2. Log in to Microsoft 365 by clicking on the following link: https://www.office.com/login.
  3. Sign in as the same user that is enrolled in your AgentP and that you configured for certificate-based authentication.

  4. You should see a certificate selection window. Select the certificate for the user, and then click on the OK button.

    Note: Depending on how you configured the priority of authentication methods in Entra ID, you may see a prompt to enter a password. If so, click on the Other ways to sign in link, and then select the Use a certificate or smart card option.

Result: If the test is successful, you will be logged in to Microsoft 365.