Microsoft Releases Preview of Azure AD CBA Support on Mobile Devices via YubiKey - TechDecisions

Azure AD CBA connected iOS and Android via the YubiKey gives admins the quality to necessitate phishing-resistant MFA connected mobile without having to proviso certificates connected the user’s mobile device.

November 2, 2022 Zachary Comeau Leave a Comment

Microsoft is releasing the nationalist preview of Azure Active Directory (AD) Certificate-based Authentication (CBA) connected iOS and Android devices utilizing certificates connected hardware information keys from Yubico.

The institution first announced the wide availability of Azure AD CBA during Ignite 2022 arsenic portion of the company’s committedness to President Joe Biden’s enforcement bid connected improving the U.S.’s cybersecurity, and present the diagnostic is disposable successful preview connected iOS and Android utilizing the YubiKey.

According to Microsoft, the diagnostic is designed for bring-your-own-device (BYOD) environments by giving admins the quality to necessitate phishing-resistant multifactor authentication connected mobile without having to proviso certificates connected the user’s mobile device.

Vimala Ranganathan, merchandise manager connected Microsoft Entra, says successful a blog that the diagnostic is compliant with the enforcement order, which requires phishing-resistant MFA connected each instrumentality platforms.

“On mobile, portion customers tin proviso idiosyncratic certificates connected their idiosyncratic mobile instrumentality to beryllium utilized for authentication, this is chiefly feasible for managed mobile devices,” Ranganathan says. “But this caller nationalist preview unlocks enactment for BYOD.”

Now, customers tin present proviso certificates connected a hardware information cardinal which tin past beryllium utilized for authentication with Azure AD connected iOS and Android devices, according to Ranganathan.

“Microsoft’s mobile certificate-based solution coupled with the hardware information keys is simply a simple, convenient, FIPS (Federal Information Processing Standards) certified phishing-resistant MFA method,” Ranganathan writes successful the blog.

All browser-based web-apps and autochthonal apps, including Microsoft first-party apps utilizing the latest Microsoft Authentication Library (MSAL), enactment Azure AD CBA with YubiKey on mobile devices. Azure AD CBA with YubiKey is besides supported with the brokered authentication travel utilizing latest Microsoft Authenticator (Android or iOS/iPadOS) for each apps that are not already connected the latest MSAL, the Entra merchandise manager says.

To usage arsenic one-time registration connected iOS, the idiosyncratic needs to use Yubico Authenticator for iOS app to transcript YubiKey’s nationalist certificate into the iOS keychain. The backstage portion of the smartcard certificate ne'er leaves the YubiKey, Ranganathan notes.

To motion in, users tin prime the YubiKey certificate from the certificate picker, either insert the YubiKey oregon pat an NFC enabled YubiKey, participate PIN via YubiKey Authenticator, and decorativeness the authentication flow. 

On Android, Azure AD CBA enactment is enabled via the latest MSAL, and YubiKey Authenticator app is not a request for Android support. Users tin plug successful their YubiKey via USB, initiate Azure AD CBA, prime the certificate from YubiKey, participate their PIN and get authenticated into the application, according to Microsoft.