News

Microsoft Changes Direction on ADFS with Certificate-Based Authentication Preview

Microsoft announced a public preview of certificate-based authentication (CBA) for Azure Active Directory in a Monday announcement.

The CBA preview likely spells the end for Microsoft's Active Directory Federation Service (ADFS). ADFS is a Windows Server role that's typically used by organizations to federate with the Azure AD service. The use of a federated identity provider, like ADFS, used to be a requirement for Azure AD authentications with X.509 certificates. However, ADFS won't be needed when CBA is used.

CBA lets organizations authenticate with Azure AD using x.509 certificates without having to use any federation service.

"Azure AD CBA eliminates the need for federated AD FS, which helps simplify customer environments and reduce costs," Microsoft stated in an "Overview" document.

Organizations get the following benefits using CBA and Azure AD, per the document:

  • No need for complex on-premises deployments or network configuration.
  • Directly authenticate against Azure AD.
  • No management overhead or cost.

Additionally, CBA will be free with all Azure AD subscriptions, including the free Azure AD accounts.

'Phishing-Resistant' Compliance
The use of Azure AD with CBA enables "phishing-resistant" authentications, allowing organizations to comply with the Biden administration's recent Executive Order 14028, Microsoft argued. The order is directed toward the security practices of federal agencies.

The CBA preview is available to both public users and government users. It'll work with the privileged identity verification (PIV) and common access card (CAC) "smart cards" that typically are used by government organizations for identity and access management.

End users encountering the Azure AD plus CBA combination get prompted to sign in with a certificate, rather than a password. If an end user isn't "in scope for CBA," then the authentication will fail.

Did ADFS Have Issues?
Possibly, ADFS was too complex to use, and it was notably abused in espionage attacks last year.

Microsoft may have developed CBA because of last year's widespread espionage attacks by the Nobelium (also called "Solorigate") group associated with Russia, which tapped into government and industry organizations. One of the avenues of those attacks was ADFS, which was abused to generate Security Assertion Markup Language (SAML) tokens and access Exchange Online e-mail traffic. This "golden SAML" approach allowed the attackers to bypass multifactor authentication and access any federated application, according to forensic analysis by security solutions company FireEye.

Shortly after the Nobelium attacks, Microsoft had suggested that organizations had just misconfigured ADFS, leading to the exploits. However, onlookers, such as security solutions firm CrowdStrike, had bluntly described ADFS as having "architectural limitations."

When I asked Alex Weinert, director of identity security at Microsoft, if ADFS were insecure to use, he replied in July 14 Twitter post that cloud authentication was a better security approach. If organizations were to use ADFS, though, they should also use a hardware security module (HSM) with it, as described in this Microsoft document, Weinert had indicated back then.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.