EntraID Cert-Based-Authentication questions
Posted by Elexwiz@reddit | sysadmin | View on Reddit | 7 comments
Quick question. We are looking at cert based authentication for admins in our M365 tenant. We are 100% cloud based in M365. Do we still need to deploy a proper PKI environment, inside Azure or AWS, to manage the certs? Or can we use the cert provider's (digicert, etc) URL for cert verification and CRL checks?
I know Microsoft offers their Cloud PKI, but that seems to be for endpoints only, not users and not devices that are not joined to the tenant.
kero_sys@reddit
https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-overview
altodor@reddit
Is there any reason that FIDO tokens like YubiKey won't work for your use case? Those are effectively smartcard certificates, and require PIN to utilize. They're cheap, native, and don't need boatloads of infrastructure and knowledge to use.
Elexwiz@reddit (OP)
Nope, that would work for user authentication. We are trying to stay away from additional 3rd-party services if possible. If it's a choice between using FIDO tokens or Keytos (as u/Ok-Manufacturer-4239 mentions below), or building a PKI infra, then we go with the 3rd-party service.
altodor@reddit
If it would work for you and you're trying to avoid 3rd party services, why would you pick a 3rd party service over it? I'm confused.
Elexwiz@reddit (OP)
Because I was initially hoping I could use the Entra Cert Based Authentication (CBA) without additional infra. I initially thought I could buy a cert pack (root, intermediate, and maybe issuing certs) from a company like Digicert, upload it to Entra, then authenticate until the cows come home. I should have provided some more background in initial post.
altodor@reddit
If you're deadset on CBA, use a 3rd party service. PKI is a complete pain in the ass to manage, even with a 3rd party handling all your secrets and the issuing.
But I'd seriously warn you against it and to consider FIDO2 as a modern and simple replacement. Honestly, looking at Keytos it looks like they exist to extract money from you for replicating Entra-native features, and the iconography suggests they're literally just putting your PKI on yubikeys (FIDO2 tokens) anyway.
Ok-Manufacturer-4239@reddit
There's also providers like Keytos that do all of it for you and integrates directly into Entra ID.