Configure certificate-based authentication

Early Access release

Certificate-based authentication for Office 365 allows users to securely authenticate to their hybrid or pure Azure AD-Joined devices using a smart card, providing a unified single sign-on (SSO) experience across all supported Microsoft applications.

This feature provides the following benefits:

• Seamless single sign-on: Users who sign in with smart cards on hybrid or pure Azure AD-Joined devices have an SSO experience across browsers and thick clients for Office 365 apps.

• Controlled authentication methods: Admins can restrict users to specified authentication methods, such as PIV/CAC cards, for both device sign-in flows and access to Microsoft apps, which enhances security.

• Integrated certificate validation: Admins can allow users to use assigned certificates to sign in to their Hybrid/Azure AD-Joined devices with seamless validation of these certificates. The seamless validation is through Okta and Azure.

Before you begin

Verify that you have fulfilled the following conditions before enabling certificate-based authentication for the Office 365 application.

• You've configured an Office 365 app instance in your org. See Microsoft Office 365.

• Your Windows OS is set up for Smart Card authentication.

• You've completed the following configuration:

  • Add a Smart Card Identity Provider.

  • Configure the Smart Card authenticator.

  • Assign users to the Office 365 application.

• Your end users have the following setup:

  • Smart Card authenticator

  • Necessary license to access Office 365

• Optionally, review the following topics:

  • Office 365 sign-on rules options

  • Office 365 default sign-on rules

Start the task

Certificate-based authentication is a two-step process.

1. Add an authentication policy rule.

2. Enable certificate-based authentication on Microsoft Office 365 app.

Add an authentication policy rule

1. In the Admin Console, go to ApplicationsApplications.

2. Select the Office 365 app where you want to enable certificate-based authentication.

3. Click the Sign On tab and scroll down to the User authentication section.

4. Click view policy details.

5. Click Add Rule.

6. Enter a Rule Name.

7. Configure IF conditions. These conditions specify when the rule is applied.

   IF	Description
   AND Client is	Select One of the following clients Certificate Based Authentication. Optionally, you can select other clients along with certificate-based authentication.

8. Configure THEN conditions. These conditions specify how authentication is enforced.

   THEN	Description
   AND User must authenticate with	Any 1 factor types or Any 2 factor types
   AND Authentication methods	Ensure that the Smart Card Authenticator is included as one of the authentication methods.

9. Click Save.

Enable certificate-based authentication on Microsoft Office 365 app

1. In the Admin Console, go to ApplicationsApplications.

2. Select the Microsoft Office 365 app.

3. Click the Sign On tab and then click Edit.

4. Scroll down to Certificate Based Authentication, and then click Enable for this application.

5. Click Save.

Related topics

Microsoft Office 365

Add an authentication policy rule

Configure the Smart Card authenticator