Windows smart card sign-in using Azure Active Directory certificate-based authentication

Azure Active Directory (Azure AD) users can authenticate using X.509 certificates on their smart cards directly against Azure AD at Windows sign-in. There's no special configuration needed on the Windows client to accept the smart card authentication.

User experience

Follow these steps to set up Windows smart card sign-in:

  1. Join the machine to either Azure AD or a hybrid environment (hybrid join).

  2. Configure Azure AD CBA in your tenant as described in Configure Azure AD CBA.

  3. Make sure the user is either on managed authentication or using Staged Rollout.

  4. Present the physical or virtual smart card to the test machine.

  5. Select the smart card icon, enter the PIN, and authenticate the user.

    Screenshot of smart card sign-in.

Users will get a primary refresh token (PRT) from Azure AD after the successful sign-in. Depending on the CBA configuration, the PRT will contain the multifactor claim.

Expected behavior of Windows sending user UPN to Azure AD CBA

Sign-in Azure AD join Hybrid join
First sign-in Pull from certificate AD UPN or x509Hint
Subsequent sign-in Pull from certificate Cached Azure AD UPN

Windows rules for sending UPN for Azure AD-joined devices

Windows will first use a principal name and if not present then RFC822Name from the SubjectAlternativeName (SAN) of the certificate being used to sign into Windows. If neither are present, the user must additionally supply a User Name Hint. For more information, see User Name Hint

Windows rules for sending UPN for hybrid Azure AD-joined devices

Hybrid Join sign-in must first successfully sign-in against the Active Directory(AD) domain. The users AD UPN is sent to Azure AD. In most cases, the Active Directory UPN value is the same as the Azure AD UPN value and is synchronized with Azure AD Connect.

Some customers may maintain different and sometimes may have non-routable UPN values in Active Directory (such as user@woodgrove.local) In these cases the value sent by Windows may not match the users Azure Active Directory UPN. To support these scenarios where Azure AD can't match the value sent by Windows, a subsequent lookup is performed for a user with a matching value in their onPremisesUserPrincipalName attribute. If the sign-in is successful, Windows will cache the users Azure AD UPN and is sent in subsequent sign-ins.

Note

In all cases, a user supplied username login hint (X509UserNameHint) will be sent if provided. For more information, see User Name Hint

For more information about the Windows flow, see Certificate Requirements and Enumeration (Windows).

Supported Windows platforms

The Windows smart card sign-in works with the latest preview build of Windows 11. The functionality is also available for these earlier Windows versions after you apply one of the following updates KB5017383:

Supported browsers

Edge Chrome Safari Firefox

Note

Azure AD CBA supports both certificates on-device as well as external storage like security keys on Windows.

Restrictions and caveats

  • Azure AD CBA is supported on Windows devices that are hybrid or Azure AD joined.
  • Users must be in a managed domain or using Staged Rollout and can't use a federated authentication model.

Next steps