Azure AD Certificate-Based Authentication - authentication binding policy for CAC cards

Yim, Sam 121 Reputation points

I just got certificate-based authentication to work for CAC cards using the username binding. Currently I have no rules set up for certificates/policy OIDs for my authentication binding. My question, is it necessary to add certificates/policy OIDs for CAC card authentication? If I leave it as is without any rules set up pertaining certificates/policy OIDS, there shouldn't be a way for a user who isn't in our windows server AD or Azure AD to authenticate to the portal?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,594 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 30,061 Reputation points

    Hi Sam,

    Thank you for asking this question on the Microsoft Q&A Platform.

    AFAIK, the username binding policy helps locate the user in the tenant. By default, Subject Alternate Name (SAN) Principal Name in the certificate is mapped to onPremisesUserPrincipalName attribute of the user object to determine the user, so this should be sufficient and do you have MFA authentication enabled for enhance security? This should add additional level of security.

    As per Microsoft the support is for two certificate fields SAN Principal Name and SAN RFC822Name to map against the user object attribute userPrincipalName and onPremisesUserPrincipalName.

    There is a detailed article and steps to verify this proces - concept-certificate-based-authentication-technical-deep-dive

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.