> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Entra ID for Microsoft CBA

## Configuration of Certificate-Based Authentication:

1. Sign into the Microsoft Entra portal using a Global Administrator account
2. Proceed to Microsoft Entra ID, select **Security**, and then click on **Certificate Authorities** in the menu

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/caa49cb-image.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=a992ef67dee70139dda3f99c0f9265f6" alt="" width="1262" height="888" data-path="images/docs/caa49cb-image.png" />

3. To upload a CA, click **Upload**:

a. Select the **CA file**

b. Select **Yes** if the CA is a root certificate, otherwise select **No**

c. Set the *http internet-facing URL* for the certification authority's based CRL that contains all revoked certificates. This should be set or authentication with revoked certificates will not fail

d. Set Delta CRL URL - the http internet-facing URL for the CRL that contains all revoked certificates since the last base CRL was published

e. Click **Add**

4. To delete a CA certificate, select the certificate and click **Delete**
5. Click **Columns** to add or delete columns

<img src="https://mintcdn.com/truu-2/ehCBQgFdl_pQd0MN/images/docs/b86b677-image.png?fit=max&auto=format&n=ehCBQgFdl_pQd0MN&q=85&s=d9a75d060194c1ab06f1f13bbfb3f00f" alt="" width="1182" height="456" data-path="images/docs/b86b677-image.png" />

## Configure Authentication Binding Policy

The authentication binding policy helps determine the strength of authentication to either a single factor or multi factor. An admin can change the default value from single-factor to multifactor and configure custom policy rules by mapping to issuer Subject or policy OID fields in the certificate.

To enable the certificate-based authentication and configure user bindings in the Entra portal, complete the following steps:

1. Sign into the Microsoft Entra portal as Authentication Policy Administrator
2. Select **Microsoft Entra ID** (Azure Active Directory), then choose **Security** from the menu on the left-hand side
3. Click **Authentication methods**, then **Policies**
4. Under Manage, select **Authentication methods**, then **Certificate-based Authentication**

<img src="https://mintcdn.com/truu-2/jMF4bYA9yOA_2TKv/images/docs/2d37728-image.png?fit=max&auto=format&n=jMF4bYA9yOA_2TKv&q=85&s=3a8e5641e01dce0e21f1454fc8b1501a" alt="" width="1268" height="640" data-path="images/docs/2d37728-image.png" />

5. Click **Configure** to set up authentication binding and username binding
6. The protection level attribute has a default value of Single-factor authentication. Select **Multi-factor authentication** to change the default value to MFA

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/cff9b8a-image.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=2cd9681392e2c567bc246dc089a95e7c" alt="" width="1204" height="514" data-path="images/docs/cff9b8a-image.png" />

7. You can also set up custom authentication binding rules to help determine the protection level for client certificates. It can be configured using either the issuer Subject or Policy OID fields in the certificate

Note: Authentication binding rules will map the certificate attributes (issuer or Policy OID) to a value, and select default protection level for that rule. Multiple rules can be created

8. To add custom rules, click on **Add Rule**

<img src="https://mintcdn.com/truu-2/YlfY4z_3_-uDkBaP/images/docs/5887b8f-image.png?fit=max&auto=format&n=YlfY4z_3_-uDkBaP&q=85&s=71307773bd22a678e98240482be7ab0e" alt="" width="1208" height="298" data-path="images/docs/5887b8f-image.png" />

9. To create a rule by certificate issuer, click **Certificate issuer**

a. Select a Certificate issuer identifier from the list box

b. Click **Multi-factor authentication** as a protection level

c. To create a rule by Policy OID, click **Policy OID**

d. Enter a *value* for Policy OID

e. Click **Multi-factor authentication** as a protection level

<img src="https://mintcdn.com/truu-2/jMF4bYA9yOA_2TKv/images/docs/3762f25-image.png?fit=max&auto=format&n=jMF4bYA9yOA_2TKv&q=85&s=ea950eda5e7381e3f55be1af68ed01d3" alt="" width="1018" height="418" data-path="images/docs/3762f25-image.png" />

10. Click **Ok** to save any custom rule

## Configure Username Binding Policy

The username binding policy helps determine the user in the tenant. By default, we map Principal Name in the certificate to onPremisesUserPrincipalName in the user object to determine the user.

An admin can override the default and create a custom mapping. Currently, we support two certificate fields, SAN (Subject Alternate Name) Principal Name and SAN RFC822Name, to map against the user object attribute userPrincipalName and onPremisesUserPrincipalName. Use the following steps to configure the username binding policy.

NOTE: If a username binding policy uses synced attributes, such as onPremisesUserPrincipalName attribute of the user object, be aware that any user with administrative access to the Entra ID Connect server can change the sync attribute mapping, and in turn change the value of the synced attribute to their needs. The user does not need to be a cloud admin

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/c70abc6-image.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=0007ad954bfbead34c29a05c0bf6cc54" alt="" width="1220" height="426" data-path="images/docs/c70abc6-image.png" />

1. Create the username binding by selecting one of the X.509 certificate fields to bind with one of the user attributes. The username binding order represents the priority level of the binding. The first one has the highest priority and so on. If the specified X.509 certificate field is found on the certificate, but Microsoft Entra ID doesn’t find a user object using that value, the authentication fails. Microsoft Entra ID doesn’t try the next binding in the list. The next priority is attempted only if the X.509 certificate field is not in the certificate
2. Click **Save** to save the changes

NOTE: Currently supported set of username bindings:

● SAN Principal Name > userPrincipalName

● SAN Principal Name > onPremisesUserPrincipalName

● SAN RFC822Name > userPrincipalName

● SAN RFC822Name > onPremisesUserPrincipalName

## Enable CBA on the Tenant

1. Sign in to the Microsoft Entra portal as an Authentication Policy Administrator
2. Select **Microsoft Entra ID**, then choose **Security** from the menu on the left-hand side
3. Under Manage, select **Authentication methods**, then **Certificate-based Authentication**
4. Then under Enable and Target, select **Enable to enable CBA**
   1. CBA can be enabled for a targeted set of users

a. Click **All users** to enable all users

b. Click **Select users** to enable selected users or groups

c. Click **+ Add users**, select specific users and groups

d. Click **Select** to add them

<img src="https://mintcdn.com/truu-2/rjjBxA7Z_Wk_-34G/images/docs/f14740c-image.png?fit=max&auto=format&n=rjjBxA7Z_Wk_-34G&q=85&s=0903bf220cb0ec666d7942950be68258" alt="" width="1282" height="330" data-path="images/docs/f14740c-image.png" />

Once certificate-based authentication is enabled on the tenant, all users in the tenant will see the option to sign in with a certificate. Only users who are enabled for certificate-based authentication will be able to authenticate using the X.509 certificate

To test your configuration, it is essential to verify both your certificate and any custom authentication binding rules you may have set up. To begin testing your certificate, attempt to sign into the MyApps portal using the browser on your device. Follow these steps:

1. Enter your *User Principal Name (UPN)*.
2. Click **Next**
3. Choose the **Sign in with a certificate** option

<img src="https://mintcdn.com/truu-2/jJ0QGEHfTe0CfrEY/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/de215812-07af-4a01-b59c-22d623946b03/4f4b8197-329e-47b1-8281-429baee6fa7c/images/158e63e8-da28-4fd1-9f6a-b050d97091ca.png?fit=max&auto=format&n=jJ0QGEHfTe0CfrEY&q=85&s=3bd3318e375c188fc271ac4f25b91cb2" alt="" width="862" height="645" data-path="images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/de215812-07af-4a01-b59c-22d623946b03/4f4b8197-329e-47b1-8281-429baee6fa7c/images/158e63e8-da28-4fd1-9f6a-b050d97091ca.png" />

<img src="https://mintcdn.com/truu-2/YlfY4z_3_-uDkBaP/images/docs/694e02e-image.png?fit=max&auto=format&n=YlfY4z_3_-uDkBaP&q=85&s=554514880d6f8cee831ce53e187f7bec" alt="" width="454" height="388" data-path="images/docs/694e02e-image.png" />

4. Select **Use Certificate or Smart card** Note: It is worth mentioning that users might encounter a certificate prompt during their first login attempt. This prompt can be managed through a registry key or a group policy which can suppress the certificate selection prompt if so desired

<img src="https://mintcdn.com/truu-2/ehCBQgFdl_pQd0MN/images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/de215812-07af-4a01-b59c-22d623946b03/4f4b8197-329e-47b1-8281-429baee6fa7c/images/8c6534b3-0345-40e4-9dde-62db2dd0ecbb.png?fit=max&auto=format&n=ehCBQgFdl_pQd0MN&q=85&s=1922f66835693c27b574765be3e7ca81" alt="" width="1160" height="1010" data-path="images/docs/a8cfe83b-31f5-4a65-a045-f9a5073b0415/de215812-07af-4a01-b59c-22d623946b03/4f4b8197-329e-47b1-8281-429baee6fa7c/images/8c6534b3-0345-40e4-9dde-62db2dd0ecbb.png" />

***

[Microsoft CBA Overview](https://docs.truu.ai/docs/configure-cba)

[Configure Entra ID and CBA and Cloud Trust](https://docs.truu.ai/docs/configuring-entra-id-cba-using-cloud-trust)