Microsoft Entra certificate-based authentication with federation on Android
Android devices can use certificate-based authentication (CBA) to authenticate to Microsoft Entra ID using a client certificate on their device when connecting to:
- Office mobile applications such as Microsoft Outlook and Microsoft Word
- Exchange ActiveSync (EAS) clients
Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
Microsoft mobile applications support
|Azure Information Protection app
|Intune Company Portal
|Skype for Business
|Word / Excel / PowerPoint
The device OS version must be Android 5.0 (Lollipop) and above.
A federation server must be configured.
For Microsoft Entra ID to revoke a client certificate, the AD FS token must have the following claims:
http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>(The serial number of the client certificate)
http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>(The string for the issuer of the client certificate)
Microsoft Entra ID adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
As a best practice, you should update your organization's AD FS error pages with the following information:
- The requirement for installing the Microsoft Authenticator on Android.
- Instructions on how to get a user certificate.
For more information, see Customizing the AD FS Sign-in Pages.
Office apps with modern authentication enabled send 'prompt=login' to Microsoft Entra ID in their request. By default, Microsoft Entra ID translates 'prompt=login' in the request to AD FS as 'wauth=usernamepassworduri' (asks AD FS to do U/P Auth) and 'wfresh=0' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Microsoft Entra behavior. Set the 'PromptLoginBehavior' in your federated domain settings to 'Disabled'. You can use New-MgDomainFederationConfiguration to perform this task:
New-MgDomainFederationConfiguration -DomainId <domain> -PromptLoginBehavior "disabled"
Exchange ActiveSync clients support
Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported. To determine if your email application does support this feature, contact your application developer.
If you want to configure certificate-based authentication in your environment, see Get started with certificate-based authentication on Android for instructions.