Limitations with Azure AD certificate-based authentication

This topic covers supported and unsupported scenarios for Azure Active Directory (Azure AD) certificate-based authentication.


Azure AD certificate-based authentication is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Supported scenarios

The following scenarios are supported:

  • User sign-ins to web browser-based applications on all platforms.
  • User sign-ins on mobile native browsers.
  • Support for granular authentication rules for multifactor authentication by using the certificate issuer Subject and policy OIDs.
  • Configuring certificate-to-user account bindings by using the certificate Subject Alternate Name (SAN) principal name and SAN RFC822 name.

Unsupported scenarios

The following scenarios aren't supported:

  • Public Key Infrastructure for creating client certificates. Customers need to configure their own Public Key Infrastructure (PKI) and provision certificates to their users and devices.
  • Certificate Authority hints aren't supported, so the list of certificates that appears for users in the UI isn't scoped.
  • Only one CRL Distribution Point (CDP) for a trusted CA is supported.
  • The CDP can be only HTTP URLs. We don't support Online Certificate Status Protocol (OCSP), or Lightweight Directory Access Protocol (LDAP) URLs.
  • Configuring other certificate-to-user account bindings, such as using the subject field, or keyid and issuer, aren’t available in this release.
  • Currently, password can't be disabled when CBA is enabled and the option to sign in using a password is displayed.

Next steps