Windows smart card sign-in using Azure Active Directory certificate-based authentication
Azure Active Directory (Azure AD) users can authenticate using X.509 certificates on their smart cards directly against Azure AD at Windows sign-in. There's no special configuration needed on the Windows client to accept the smart card authentication.
Follow these steps to set up Windows smart card sign-in:
Join the machine to either Azure AD or a hybrid environment (hybrid join).
Configure Azure AD CBA in your tenant as described in Configure Azure AD CBA.
Make sure the user is either on managed authentication or using Staged Rollout.
Present the physical or virtual smart card to the test machine.
Select the smart card icon, enter the PIN, and authenticate the user.
Users will get a primary refresh token (PRT) from Azure AD after the successful sign-in. Depending on the CBA configuration, the PRT will contain the multifactor claim.
Expected behavior of Windows sending user UPN to Azure AD CBA
|Sign-in||Azure AD join||Hybrid join|
|First sign-in||Pull from certificate||AD UPN or x509Hint|
|Subsequent sign-in||Pull from certificate||Cached Azure AD UPN|
Windows rules for sending UPN for Azure AD-joined devices
Windows will first use a principal name and if not present then RFC822Name from the SubjectAlternativeName (SAN) of the certificate being used to sign into Windows. If neither are present, the user must additionally supply a User Name Hint. For more information, see User Name Hint
Windows rules for sending UPN for hybrid Azure AD-joined devices
Hybrid Join sign-in must first successfully sign-in against the Active Directory(AD) domain. The users AD UPN is sent to Azure AD. In most cases, the Active Directory UPN value is the same as the Azure AD UPN value and is synchronized with Azure AD Connect.
Some customers may maintain different and sometimes may have non-routable UPN values in Active Directory (such as firstname.lastname@example.org) In these cases the value sent by Windows may not match the users Azure Active Directory UPN. To support these scenarios where Azure AD can't match the value sent by Windows, a subsequent lookup is performed for a user with a matching value in their onPremisesUserPrincipalName attribute. If the sign-in is successful, Windows will cache the users Azure AD UPN and is sent in subsequent sign-ins.
In all cases, a user supplied username login hint (X509UserNameHint) will be sent if provided. For more information, see User Name Hint
For more information about the Windows flow, see Certificate Requirements and Enumeration (Windows).
Supported Windows platforms
The Windows smart card sign-in works with the latest preview build of Windows 11. The functionality is also available for these earlier Windows versions after you apply one of the following updates KB5017383:
- Windows 11 - kb5017383
- Windows 10 - kb5017379
- Windows Server 20H2- kb5017380
- Windows Server 2022 - kb5017381
- Windows Server 2019 - kb5017379
Azure AD CBA supports both certificates on-device as well as external storage like security keys on Windows.
Restrictions and caveats
- Azure AD CBA is supported on Windows devices that are hybrid or Azure AD joined.
- Users must be in a managed domain or using Staged Rollout and can't use a federated authentication model.