Frequently asked questions about Azure AD certificate-based authentication (CBA)

This article addresses frequently asked questions about how Azure AD certificate-based authentication (CBA) works. Keep checking back for updated content.

Why don't I see an option to sign in to Azure Active Directory by using certificates after I enter my username?

An administrator needs to enable CBA for the tenant to make the sign-in with certificate option available for users. For more information, see Step 3: Configure authentication binding policy.

Where can I get more diagnostic information after a user sign-in failed?

On the error page, click More Details for more information to help your tenant admin. The tenant admin can check the Sign-ins report to investigate further. For example, if a user certificate is revoked and is part of a Certificate Revocation List, then authentication fails correctly. To get more diagnostic information, check the Sign-ins report.

How can an administrator enable Azure AD CBA?

  1. Sign in to the Azure portal as a Global Administrator.
  2. Click Azure Active Directory > Security > Authentication methods > Certificate-based Authentication > Basics, click Yes to enable certificate-based authentication.

Is Azure AD CBA a free feature?

Certificate-based authentication is a free feature. Every edition of Azure AD includes Azure AD CBA. For more information about features in each Azure AD edition, see Azure AD pricing.

Does Azure AD CBA support Alternate ID as the username instead of userPrincipalName?

No, sign-in using a non-UPN value, such as an alternate email, isn't supported now.

Can I have more than one CRL Distribution Point (CDP) for a Certificate Authority (CA)?

No, only one CDP is supported per CA.

Can I have non-http URLs for CDP?

No, CDP supports only HTTP URLs.

How do I turn certificate revocation checking on or off for a particular CA?

We highly recommend against disabling certificate revocation list (CRL) checking as you won't be able to revoke certificates. However, if you need to investigate issues with CRL checking, you can update a trusted CA and set the crlDistributionPoint attribute to """.

Use the Set-AzureADTrustedCertificateAuthority cmdlet:

$c=Get-AzureADTrustedCertificateAuthority
$c[0]. crlDistributionPoint=""
Set-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c[0]

Is there a limit for CRL size?

The following CRL size limits apply:

  • Interactive sign in download limit: 20 MB (Azure Global includes GCC), 45 MB for (Azure US government, includes GCC High, Dept. of Defense)
  • Service download limit: 45 MB (Azure Global includes GCC), 150 MB for (Azure US government, includes GCC High, Dept. of Defense)

When a CRL download fails, the following message appears:

"The Certificate Revocation List (CRL) downloaded from {uri} has exceeded the maximum allowed size ({size} bytes) for CRLs in Azure Active Directory. Try again in few minutes. If the issue persists, contact your tenant administrators."

Download remains in the background with higher limits.

We're reviewing the impact of these limits and have plans to remove them.

I see a valid Certificate Revocation List (CRL) endpoint set, but why don't I see any CRL revocation?

  • Make sure the CRL distribution point is set to a valid HTTP URL.
  • Make sure the CRL distribution point is accessible via an internet-facing URL.
  • Make sure the CRL sizes are within limits.

How do I instantly revoke a certificate?

Follow the steps to manually revoke a certificate.

Will the changes to the Authentication methods policy take effect immediately?

The policy is cached. After a policy update, it may take up to an hour for the changes to take effect.

Why do I see the certificate-based authentication option after it fails?

The Authentication method policy always shows all available authentication methods to the user so they can retry sign-in using any method they prefer. Azure AD doesn't hide available methods based on success or failure of a sign-in.

Why does certificate-based auth (CBA) loops once it fails?

The browser caches the certificate after the certificate picker appears. If the user retries, the cached certificate is used automatically. The user should close the browser, and reopen a new session to try CBA again.

Why does not proof up for registering other auth methods come up when I use single factor certificates?

A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods and should have MFA via another method to register other available auth methods.

How can I use single-factor certificates to complete MFA?

We have support for single factor CBA to get MFA. CBA SF + PSI (passwordless phone sign in) and CBA SF + FIDO2 are the two supported combinations to get MFA using single factor certificates. MFA with single factor certificates

Will the changes to the Authentication methods policy take effect immediately?

The policy is cached. After a policy update, it may take up to an hour for the changes to take effect.

CertificateUserIds update fails with value already there. How can an admin query all the user objects with the same value?

Tenant admins can run MS Graph queries to find all the users with a given certificateUserId value. More information can be found at CertificateUserIds graph queries

GET all user objects that have the value 'bob@contoso.com' value in certificateUserIds:

GET  https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds/any(x:x eq 'bob@contoso.com')