Does Microsoft Entra Id support mTLS client authentication as defined by RFC8705?

Question

Does Microsoft Entra Id support mTLS client authentication as defined by RFC8705?

Kevin Frey 6

RFC8705 specifies mutual TLS where the client identifies itself by a client certificate delivered via the TLS handshake. This certificate, in combination with a client_id, should be sufficient to identify the client to Microsoft Entra.

I cannot find details on how to set up this approach with Microsoft Entra. The documentation tends to take you in the direction of creating a JWT bearer token signed with a client-certificate, which does not have the same security as RFC8705, and is much more tedious to set up on the client side also.

Can anyone point me in the right direction? Can Microsoft Entra even do this?

Kevin Frey 6 Reputation points

2025-04-02T01:33:17.8+00:00

To provide more detail to this problem. I have set up an App Registration representing my "server-side service" in Entra. I have set up a second App Registration representing my "client app" in Entra. My server App has defined an API. My client API defines API permissions to the API of the Server App. My client App defines a certificate which I want to use for mTLS.

When I send a request to the Entra token endpoint, using a grant_type of client_credentials, a client_id being that of my Client App, and a scope identifying the Server's API (plus .default), I get an error that I need to supply client_secret, client_assertion_type, or client_assertion parameters. That does not accord with my understanding of how mTLS client authentication should work.

I cannot find anywhere [so far] that suggests Entra actually supports mTLS as defined by RFC8705.
Navya 20,490 Reputation points Microsoft External Staff Moderator

2025-04-08T19:06:51.69+00:00

Hi @Kevin Frey

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Navya 20,490 Reputation points Microsoft External Staff Moderator

2025-04-09T17:37:59.1933333+00:00

Hi @Kevin Frey

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and "Up-Vote" for the same, which might be beneficial to other community members reading this thread. if you have any further query do let us know.

1 answer

Your answer

Kevin Frey 6 Reputation points

2025-04-02T01:33:17.8+00:00

To provide more detail to this problem. I have set up an App Registration representing my "server-side service" in Entra. I have set up a second App Registration representing my "client app" in Entra. My server App has defined an API. My client API defines API permissions to the API of the Server App. My client App defines a certificate which I want to use for mTLS.

When I send a request to the Entra token endpoint, using a grant_type of client_credentials, a client_id being that of my Client App, and a scope identifying the Server's API (plus .default), I get an error that I need to supply client_secret, client_assertion_type, or client_assertion parameters. That does not accord with my understanding of how mTLS client authentication should work.

I cannot find anywhere [so far] that suggests Entra actually supports mTLS as defined by RFC8705.
Navya 20,490 Reputation points Microsoft External Staff Moderator

2025-04-08T19:06:51.69+00:00

Hi @Kevin Frey

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Navya 20,490 Reputation points Microsoft External Staff Moderator

2025-04-09T17:37:59.1933333+00:00

Hi @Kevin Frey

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and "Up-Vote" for the same, which might be beneficial to other community members reading this thread. if you have any further query do let us know.

Answer 1

Hi @Kevin Frey

Based on the information you've shared, it appears you're trying to use mutual TLS (mTLS) for authentication with Microsoft Entra ID (Azure AD). Specifically, you're attempting to use mTLS to authenticate a client application with its certificate when requesting a token from the Entra ID token endpoint.

However, Microsoft Entra (Azure AD) does not natively support RFC 8705 for mutual TLS authentication, where a client is identified solely by a certificate in the TLS handshake. Instead, Entra typically supports OAuth 2.0-based authentication, with client certificates used to obtain tokens. In this process, client authentication is usually done via a client secret or client certificate as part of the client credentials flow.

In the OAuth client credentials flow, Microsoft Entra expects either a client_secret or a client assertion (which is typically signed by a certificate), rather than direct certificate-based authentication like mTLS. This is why you're encountering an error asking for a client_secret or client_assertion parameter.

Instead of trying to use mTLS directly, you can sign a client assertion using the client certificate and send that to Microsoft Entra.

For you reference: How to configure client_secret in app registration

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#use-client-certificates

Kevin Frey 6 Reputation points

2025-04-03T22:33:54.1433333+00:00

Thank you so much for your response. Is it possible to provide both a client_secret and a signed token as "dual factors" for authentication, and is it commonly done?
Navya 20,490 Reputation points Microsoft External Staff Moderator

2025-04-07T20:28:56.0233333+00:00

Hi @Kevin Frey

Microsoft Entra ID (Azure AD) does not support using both client_secret and a signed client assertion together as "dual factors" for client authentication in the OAuth 2.0 client credentials flow.

Share via

Does Microsoft Entra Id support mTLS client authentication as defined by RFC8705?

1 answer

Your answer