EntraID Cert-Based-Authentication questions
Posted by Elexwiz@reddit | sysadmin | View on Reddit | 5 comments
Quick question. We are looking at cert based authentication for admins in our M365 tenant. We are 100% cloud based in M365. Do we still need to deploy a proper PKI environment, inside Azure or AWS, to manage the certs? Or can we use the cert provider's (digicert, etc) URL for cert verification and CRL checks?
I know Microsoft offers their Cloud PKI, but that seems to be for endpoints only, not users and not devices that are not joined to the tenant.
altodor@reddit
Is there any reason that FIDO tokens like YubiKey won't work for your use case? Those are effectively smartcard certificates, and require PIN to utilize. They're cheap, native, and don't need boatloads of infrastructure and knowledge to use.
Elexwiz@reddit (OP)
Nope, that would work for user authentication. We are trying to stay away from additional 3rd-party services if possible. If it's a choice between using FIDO tokens or Keytos (as u/Ok-Manufacturer-4239 mentions below), or building a PKI infra, then we go with the 3rd-party service.
altodor@reddit
If it would work for you and you're trying to avoid 3rd party services, why would you pick a 3rd party service over it? I'm confused.
Elexwiz@reddit (OP)
Because I was initially hoping I could use the Entra Cert Based Authentication (CBA) without additional infra. I initially thought I could buy a cert pack (root, intermediate, and maybe issuing certs) from a company like Digicert, upload it to Entra, then authenticate until the cows come home. I should have provided some more background in initial post.
Ok-Manufacturer-4239@reddit
There's also providers like Keytos that do all of it for you and integrates directly into Entra ID.