Is there any Azure service that provide a Azure AD rootCA like the on premise ADCS ?

JcAubrun 21 Reputation points

From my understanding, there's not, you can only sign certs linked to the official Azure RootCA.
Can you confirm ?
Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,076 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 29,261 Reputation points Microsoft Employee

    @JcAubrun Thank you for reaching out to us. As I understand you are looking for a Azure Certificate as a Service which can act like Root CA ( something like a on-premise certificate authority ), researched on this unfortunately we don't have any such service which can provide the functionality which you are looking for.

    As Jimmy mentioned above you use Azure AD certificate-based authentication (CBA) which allows users to authenticate directly with X.509 certificates against Azure Active Directory (Azure AD) for applications and browser sign-in.

    Reference: Azure AD certificate-based authentication

    Also you can share product suggestions on the Entra (Azure AD) forum which is monitored closely by our product group team.

    Let me know if you have any further questions, please feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. JimmySalian-2011 41,956 Reputation points

    Hi JC,

    You can explore AAD Certificate based authentication and check out the features that can help you to setup for your users.

    Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. This feature enables customers to adopt a phishing resistant authentication and authenticate with an X.509 certificate against their Public Key Infrastructure (PKI).


    Hope this helps.

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. JcAubrun 21 Reputation points

    Thank you but my question was maybe not clear, it's more about having a Certification Authority service under Azure.

    A CA that issues certificates for an organization like ADCS :

    0 comments No comments

  3. JcAubrun 21 Reputation points

    Thank you very much

    0 comments No comments