What is CBA with federation? about entra-docs HOT 4 CLOSED

@LijuV-MSFT
Thanks for your feedback! We will investigate and update as appropriate.

from entra-docs.

@LijuV-MSFT Certificate-based authentication (CBA) with federation is a method of authentication that allows users to authenticate with Azure Active Directory (Azure AD) using a client certificate on a Windows, Android, or iOS device when connecting to Microsoft mobile applications such as Microsoft Outlook and Microsoft Word, as well as Exchange ActiveSync (EAS) clients.

Federation in this context refers to the use of a federated identity provider (IdP) such as Active Directory Federation Services (AD FS) to authenticate users. With CBA and federation, the client certificate is validated by the federated IdP, which then issues a security token that is sent to Azure AD for validation.

In contrast, native CBA allows users to authenticate directly with X.509 certificates against their Azure AD for applications and browser sign-in, without the need for a federated IdP.

The authentication flow for CBA with federation involves the following steps:

1. The user presents their client certificate to the federated IdP for validation.
2. The federated IdP issues a security token that includes the user's identity and other claims.
3. The security token is sent to Azure AD for validation.
4. Azure AD validates the security token and issues an access token that can be used to access the requested resource.

I hope this helps clarify things for you! Let me know if you have any further questions.

from entra-docs.

@LijuV-MSFT Certificate-based authentication (CBA) with federation is a method of authentication that allows users to authenticate with Azure Active Directory (Azure AD) using a client certificate on a Windows, Android, or iOS device when connecting to Microsoft mobile applications such as Microsoft Outlook and Microsoft Word, as well as Exchange ActiveSync (EAS) clients.

Federation in this context refers to the use of a federated identity provider (IdP) such as Active Directory Federation Services (AD FS) to authenticate users. With CBA and federation, the client certificate is validated by the federated IdP, which then issues a security token that is sent to Azure AD for validation.

In contrast, native CBA allows users to authenticate directly with X.509 certificates against their Azure AD for applications and browser sign-in, without the need for a federated IdP.

The authentication flow for CBA with federation involves the following steps:

1. The user presents their client certificate to the federated IdP for validation.
2. The federated IdP issues a security token that includes the user's identity and other claims.
3. The security token is sent to Azure AD for validation.
4. Azure AD validates the security token and issues an access token that can be used to access the requested resource.

I hope this helps clarify things for you! Let me know if you have any further questions.

Thank you, @SaibabaBalapur-MSFT ; yes, this makes it much clearer... Any chance you can add this to the document?

from entra-docs.

@LijuV-MSFT I will check internally with the document author. As of now, we are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.

from entra-docs.