A while back, Microsoft announced the ability to allow office apps on the phone to authenticate to office 365 services using a certificate rather than user name and password.
A bunch of office apps support this – here is a list for iOS and android. Since the end-end setup is pretty complex, with a few moving parts, I wanted to document the lab setup, along with many of the gotchas (that I and others) hit along the way.
I’ll break the steps up into four parts:
Part 1 – Get your Certificate Authority CRL Ready: If you are not doing this already, you need to publish your CRL so that it can be hit by everyone (internally and externally to your organisation). I’ll detail the steps to publish this onto an internal web server that you already have, then use Azure App Proxy to publish the endpoint on the internet. (The Azure App Proxy bit is fully optional, You may choose to just publish the endpoint with your WAP server – as long as your CRL can be reached from the internet you are fine).
Part 2 – Configure Azure AD as a Certification Authority: Run the New-AzureADTrustedCertificateAuthority command against azure AD, binding it to your on-prem CA.
Part 3 – Set up ADFS: You need to configure claims rules on ADFS, as well as making the “Use a certificate” option available at your ADFS logon page.
Part 4 – Deploy a certificate and Test it out: Create a certificate template on your CA, manually generate a test user certificate and test it out on mobile devices. (In the real world, you would usually use your MDM product to deploy user certificates via SCEP or the PFX connector, but it’s a long process, with heaps of different choices… Plus there is pretty good documentation how to set that up). For iOS, its hard to get a RootCA installed on the device so we end up using Intune for that bit.