> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft CBA Overview

> For customers whose domains are not federated with TruU or a third-party identity provider (IDP) such as Okta, Ping, or ForgeRock, special steps are required to achieve a seamless logon experience on Microsoft Windows, or to enable passwordless logon on macOS.

If customers are using TOTAL Protect for frontline access (Shared Workstation) or TOTAL Protect Authenticator for Windows with a smart card, they must enable Certificate-based authentication on Entra ID. By enabling this authentication method in Entra ID, organizations can ensure users experience smooth logon processes across both Microsoft Windows and macOS platforms, even without traditional federated identity solutions.

* Organizations need to have at least one certification authority (CA) in place, which could be part of an on-premises Public Key Infrastructure (PKI) or a cloud-based PKI solution like TruU Cloud PKI
* Users should possess a client authentication certificate from a trusted PKI that has been configured on the tenant
* Only users with Global admin or Privileged Authentication Administrator roles have the necessary permissions to configure the CA
* CA requires an internet-facing URL that is accessible and has a published Certificate Revocation List (CRL)

***

[Configure Entra ID Certificate Based Authenticaiton](/docs/copy-of-cba-with-entra-id-and-microsoft-ca)

[CBA with Entra ID and Cloud Trust](/docs/configuring-entra-id-cba-using-cloud-trust)