Azure AD Certificated Based Authentication Deep-Dive

John Craddock Identity and Access Training

Подписаться 2,8 тыс.

Просмотров 5 тыс.

50% 1

Azure AD Certificated Based Authentication Deep-Dive
This session will teach you how to set up certificate-based authentication in your Azure AD tenant. You will learn the following:
00:37 How CBA works and why it is phishing resistant
09:15 How to create and store certificates
24:45 How to enable Azure AD to trust our certificates
27:40 How to configure the certificate user mapping and authentication strength
SUBSCRIBE and KEEP LEARNING
Please add comments, and let's build a community of Identity Geeks together
Join me for an intense 5-day masterclass on Azure AD Identity
learn.xtseminars.co.uk

Наука

Опубликовано:

2 мар 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 43

@parindas127 Год назад

The way you explain things makes life around Azure so much easier !

@john_craddock Год назад

Thank you! Your comment is much appreciated

@SpaceMonkey23101 9 месяцев назад

I like anyone who goes back and edits in missing information afterwards (e.g. 'along with their public key' comment at 2:50). That shows thorough attention to detail and an awareness of the perspective of learners. Thanks very much.

@john_craddock 9 месяцев назад

Thank for the comments Eric! I always try and make the videos as clear as possible - so it's great to hear when I have succeeded.

@Marco-jf8jo 9 месяцев назад

This was just ... well ... fantastic! Thanks a lot, I learnt a lot from this.

@john_craddock 8 месяцев назад

Thank for letting me know - I am glad you found it useful

@supriyochatterjee4095 Год назад

Probably the best videos on Azure right now, even more clearly explained than Microsofts own articles available on the web, thank you Sir for your valuable time and effort in making all this great technical contents, hope to see a lot lot more in the near future

@john_craddock Год назад

Thanks Supriyo, Comments like yours make it all worthwhile!

@steveng.42 Год назад

I couldn't agree more with this sentiment! John should just be the default auth explainer on all Microsoft technical docs!

@john_craddock Год назад

@@steveng.42 Many thanks for your comment Steve, much appreciated!

@alpeshbhoi330 Год назад

@@john_craddocknice video John. I have just one question if we have Root ca, intermidiate ca and issuing ca, the do we need to upload all of those three certificates?

@damienb8297 Год назад

excellent video, thanks for this

@john_craddock Год назад

Thanks Damien for letting me know!

@berndeckenfels 5 месяцев назад

With the SKI the smartcards could be anonymous and even pre-issued, that’s quite neat in addition to the high affinity. Is there an drawback if you don’t have attributes (for this specific Entra ID Login case)

@AndyMaloneMVP Год назад

Awesome session John 🎉

@john_craddock Год назад

Thanks Andy - Along way to go before I join the ranks of a RU-vid master like you!

@AndyMaloneMVP Год назад

@@john_craddock you’ll get there my friend 👍😊

@berndeckenfels 5 месяцев назад

When using windows Keystore, it should use the cryptong rsa provider, as it uses credential isolation. And potential even tpm, but I am not sure how to enforce this.

@StringsAndLife 11 месяцев назад

Very informative

@john_craddock 11 месяцев назад

Glad it was helpful!

@holodray2269 Год назад

Hi John, thanks for video! Appreciate you taking the time to make and share this content. Can you tell me what the app is you are using to dump the token claims and test various login experiences? It’s at 5:57 (OpenID Connect & OAuth 2.0 demo). I would like to use this to do some of my own setup and testing but can’t find it.

@john_craddock Год назад

Hi @holodray2269, thanks for the feedback. The app is something I put together for my identity masterclass. I don't make it freely available. However if you join the class you get a copy of it an more! learn.xtseminars.co.uk

@abdulmananclasses.7793 7 месяцев назад

Thanks John, As per your commitment in one of the videos to make one video per week but I didn't see many uploaded recently. Can you please clarify when you gonna upload videos on other Authentication and Authorization methods. Thank you 😊

@john_craddock 7 месяцев назад

Hi Abdul, That was an ambitious commitment and now I'm embarrassed! Unfortunately I got completely committed to a customer project. However, I am now trying to get back on-track with the videos. I already have a video on authentication methods ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-lajeFoCr2KM.html. What content are you looking for?

@abdulmananclasses.7793 7 месяцев назад

Thanks John for replying on my message. I want to have some series on Application Registration and Enterprise Application.

@john_craddock 7 месяцев назад

@@abdulmananclasses.7793 It's on my list, Hopefully in the next couple of months!

@infosec4cloud 9 месяцев назад

Hi John, thank you so much for you video. Can you explain how to create the other certificate templates, like CBAUserSetName and others, I'm a little confused in that step. Thank you so much.

@john_craddock 8 месяцев назад

Sorry for the late reply. Please give me time on the video that you are asking about

@anuj_rana Год назад

Thanks for the awesome content as usual. Why can't we use CBA as second factor option like Auth app or U2F fido2 keys? I see CBA listed as MFA option once CBA is enabled but it fails when used. Is it by design or it is due to other issues with certificate. if by design, then MS should not show CBA as MFA option.

@john_craddock Год назад

Hi @anuj_rana, thanks for the feedback. CBA can be used as a sign in for 1st Factor or 1 & 2 factor combined. So a cert tagged with the appropriate OID is considered strong auth. I think the assumption is that if the org is issuing strong auth certs then the admins have taken the appropriate steps to make sure that those certs are only issued to devices that secure them with a second factor (biometric or pin). I hope that helps!

@artisticcheese Год назад

Would like to see video how this type of authentication can be used for automation tasks (service principals)

@john_craddock Год назад

Hi Gregory, With a workload identity, the preferred way of setting it up is to use a signed JWT assertion and this uses an X509 cert for signing and validation. Workload identities are something I will be covering in the future. My list is getting longer!

@Sathish_jo Год назад

Awesome video sir. How to enroll certificate to yubikey and use it for authentication.?

@john_craddock Год назад

Thanks @Sathish. I'm glad you enjoyed it!

@Tularis 9 месяцев назад

What if you have users in an Azure Only environment without any server?

@john_craddock 8 месяцев назад

You will require a PKI to issue your certificates

@fbifido2 14 дней назад

@@john_craddock does Microsoft intune not provide a way to issue Cert from my own ROOT certificate?

@fbifido2 14 дней назад

@@john_craddock does Microsoft offer a private pki for intune ?

@mihrandars1068 Год назад

up to last 5 minutes is correct, MFA is rather misleading, bindings to SKI or OIDs within CBA are still single factored,

@john_craddock Год назад

Hi Mihran, It is the organization that is designating that a particular certificate type (correct OID) can be treated as multifactor. For this to be true multifactor, the org will need to make sure that those certificate type are only issued to certificate storage (smartcard or similar) that require a PIN or biometric. I am sorry if that wasn't clear - Many thanks for your feedback

@ohyeahbabyohyes 10 месяцев назад

This is completely irrelevant for modern cloud based Microsoft 365 Entra

@john_craddock 10 месяцев назад

I am not quite sure why you say that. I agree if you don't want to use CBA, then it may not be relevant to you, but it is certainly not irrelevant to everyone.

@ohyeahbabyohyes 10 месяцев назад

On-prem is going away. @@john_craddock