Microsoft Entra certificate-based authentication on Android devices
Android devices can use a client certificate on their device for certificate-based authentication (CBA) to Microsoft Entra ID. CBA can be used to connect to:
- Office mobile applications such as Microsoft Outlook and Microsoft Word
- Exchange ActiveSync (EAS) clients
Microsoft Entra CBA is supported for certificates on-device on native browsers, and on Microsoft first-party applications on Android devices.
Prerequisites
- Android version must be Android 5.0 (Lollipop) or later.
Support for on-device certificates
On-device certificates are provisioned on the device. Customers can use Mobile Device Management (MDM) to provision the certificates on the device.
Supported platforms
- Applications using latest MSAL libraries or Microsoft Authenticator can do CBA
- Edge with profile, when users add account and sign in with a profile, will support CBA
- Microsoft first-party apps with latest MSAL libraries or Microsoft Authenticator can do CBA
Microsoft mobile applications support
| Applications | Support |
|---|---|
| Azure Information Protection app | ✅ |
| Company Portal | ✅ |
| Microsoft Teams | ✅ |
| Office (mobile) | ✅ |
| OneNote | ✅ |
| OneDrive | ✅ |
| Outlook | ✅ |
| Power BI | ✅ |
| Skype for Business | ✅ |
| Word / Excel / PowerPoint | ✅ |
| Yammer | ✅ |
Support for Exchange ActiveSync clients
Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported.
To determine if your email application supports Microsoft Entra CBA, contact your application developer.
Support for certificates on hardware security key
Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. Microsoft Entra ID supports CBA with YubiKey.
Advantages of certificates on hardware security key
Security keys with certificates:
- Has the roaming nature of security key, which allows users to use the same certificate on different devices
- Are hardware-secured with a PIN, which makes them phishing-resistant
- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate
- Satisfy the industry requirement to have MFA on separate device
- Help in future proofing where multiple credentials can be stored including Fast Identity Online 2 (FIDO2) keys.
Microsoft Entra CBA on Android mobile
Android needs a middleware application to be able to support smartcard or security keys with certificates. To support YubiKeys with Microsoft Entra CBA, YubiKey Android SDK has been integrated into the Microsoft broker code which can be leveraged through the latest Microsoft Authentication Library (MSAL).
Microsoft Entra CBA on Android mobile with YubiKey
Because Microsoft Entra CBA with YubiKey on Android mobile is enabled by using the latest MSAL, YubiKey Authenticator app isn't required for Android support.
Steps to test YubiKey on Microsoft apps on Android:
- Install the latest Microsoft Authenticator app.
- Open Outlook and plug in your YubiKey.
- Select Add account and enter your user principal name (UPN).
- Click Continue. A dialog should immediately pop up asking for permission to access your YubiKey. Click OK.
- Select Use Certificate or smart card. A custom certificate picker will appear.
- Select the certificate associated with the user’s account. Click Continue.
- Enter the PIN to access YubiKey and select Unlock.
The user should be successfully logged in and redirected to the Outlook homepage.
Note
For a smooth CBA flow, plug in YubiKey as soon as the application is opened and accept the consent dialog from YubiKey before selecting the link Use Certificate or smart card.
Troubleshoot certificates on hardware security key
What will happen if the user has certificates both on the Android device and YubiKey?
- If the user has certificates both on the android device and YubiKey, then if the YubiKey is plugged in before user clicks Use Certificate or smart card, the user will be shown the certificates in the YubiKey.
- If the YubiKey is not plugged in before user clicks Use Certificate or smart card, the user will be shown all the certificates on the device. The user can Cancel the certificate picker, plug in the YubiKey, and restart the CBA process with YubiKey.
My YubiKey is locked after incorrectly typing PIN three times. How do I fix it?
- Users should see a dialog informing you that too many PIN attempts have been made. This dialog also pops up during subsequent attempts to select Use Certificate or smart card.
- YubiKey Manager can reset a YubiKey’s PIN.
I have installed Microsoft authenticator but still do not see an option to do Certificate based authentication with YubiKey
Before installing Microsoft Authenticator, uninstall Company Portal and install it after Microsoft Authenticator installation.
Does Microsoft Entra CBA support YubiKey via NFC?
This feature supports using YubiKey with USB and NFC.
Once CBA fails, clicking on the CBA option again in the ‘Other ways to signin’ link on the error page fails.
This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login.
Microsoft Entra CBA with YubiKey is failing. What information would help debug the issue?
- Open Microsoft Authenticator app, click the three dots icon in the top right corner and select Send Feedback.
- Click Having Trouble?.
- For Select an option, select Add or sign into an account.
- Describe any details you want to add.
- Click the send arrow in the top right corner. Note the code provided in the dialog that appears.
Known Issues
- Sometimes, plugging in the YubiKey and providing permission via the permission dialog and clicking Use Certificate or smart card will still take the user to on-device CBA picker pop up (instead of the smart card CBA picker). The user will need to cancel out of the picker, unplug their key, and re-plugin their key before attempting to sign in again.
- With the Most Recently Used (MRU) feature, once a user uses CBA for authentication, MRU auth method will be set to CBA. Since the user will be directly taken into CBA flow, there may not be enough time for the user to accept the Android USB consent dialog. As a workaround user needs to remove and re-plugin the YubiKey, accept the consent dialog from YubiKey then click the back button and try again to complete CBA authentication flow.
- Microsoft Entra CBA with YubiKey on latest Outlook and Teams fail at times. This could be due to a keyboard configuration change when the YubiKey is plugged in. This can be solved by:
- Plug in YubiKey as soon as the application is opened.
- Accept the consent dialog from YubiKey before selecting the link Use Certificate or smart card.
Supported platforms
- Applications using the latest Microsoft Authentication Library (MSAL) or Microsoft Authenticator can do CBA
- Microsoft first-party apps with latest MSAL libraries or Microsoft Authenticator can do CBA
Supported operating systems
| Operating system | Certificate on-device/Derived PIV | Smart cards |
|---|---|---|
| Android | ✅ | Supported vendors only |
Supported browsers
| Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Edge certificate on-device | Edge smart card |
|---|---|---|---|---|---|---|
| Android | ✅ | ❌ | N/A | N/A | ❌ | ❌ |
Note
Although Edge as a browser is not supported, Edge as a profile (for account login) is an MSAL app that supports CBA on Android.
Security key providers
| Provider | Android |
|---|---|
| YubiKey | ✅ |
Next steps
Feedback
Submit and view feedback for