This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 82%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Hello
I am reading the below article regarding using Azure CBA. I'm trying to understand how this is different from using Windows hello for business, and how the two authentication methods stack up against each other? It sounds like the same authentication to me, the certs are protected by the TPM. However it doesnt sound like you can use CBA to log onto the device itself. Can WH4B and CBA used in combination ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 69%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Hi,
You are right. The CBA from the article is for authentication against Azure AD not on prem or local device.
WHfB is designed for the device so those are two different things: one is for authentication against the cloud and one is for authentication against the local device.
Hope this helps!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Thank you for reaching out to us. As @Cristian SPIRIDON mentioned, Azure AD Certificate based authentication enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. where Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
To answer this Can WH4B and CBA used in combination ?
Why not, you can use it, WH4B would have PRT during the sign-ins, provides SSO, you wont get the opportunity to do any other cert ( CBA ). Its something WH4B is used to sign-in and browser want to use "FIDO2" keys.
Implementation wise it is possible but wont be of much helpful, you wont get the opportunity to do that, as SSO takes precedence unless you use private browser.
Let me know if you have any further questions.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.