Does Microsoft Entra Id support mTLS client authentication as defined by RFC8705?

Kevin Frey 6 Reputation points
2025-04-01T07:40:57.85+00:00

RFC8705 specifies mutual TLS where the client identifies itself by a client certificate delivered via the TLS handshake. This certificate, in combination with a client_id, should be sufficient to identify the client to Microsoft Entra.

I cannot find details on how to set up this approach with Microsoft Entra. The documentation tends to take you in the direction of creating a JWT bearer token signed with a client-certificate, which does not have the same security as RFC8705, and is much more tedious to set up on the client side also.

Can anyone point me in the right direction? Can Microsoft Entra even do this?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 20,490 Reputation points Microsoft External Staff Moderator
    2025-04-02T20:17:42.51+00:00

    Hi @Kevin Frey

    Based on the information you've shared, it appears you're trying to use mutual TLS (mTLS) for authentication with Microsoft Entra ID (Azure AD). Specifically, you're attempting to use mTLS to authenticate a client application with its certificate when requesting a token from the Entra ID token endpoint.

    However, Microsoft Entra (Azure AD) does not natively support RFC 8705 for mutual TLS authentication, where a client is identified solely by a certificate in the TLS handshake. Instead, Entra typically supports OAuth 2.0-based authentication, with client certificates used to obtain tokens. In this process, client authentication is usually done via a client secret or client certificate as part of the client credentials flow.

    In the OAuth client credentials flow, Microsoft Entra expects either a client_secret or a client assertion (which is typically signed by a certificate), rather than direct certificate-based authentication like mTLS. This is why you're encountering an error asking for a client_secret or client_assertion parameter.

    Instead of trying to use mTLS directly, you can sign a client assertion using the client certificate and send that to Microsoft Entra.

    For you reference: How to configure client_secret in app registration

    https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#use-client-certificates


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.