Currently there is no way to choose one over the other.
• If AAD is enabled and valid for the user AAD is used
• If AAD is enabled but not valid for user then client cert is fall back
There is no way to pick and choose; a client cert, if present, would be required at the time of establishing the TLS connection, and so SFX needs to know which form of authentication it should use right as it’s being opened. As mentioned above, if the user is signed in (AAD is enabled, and a token can be acquired), then the connection proceeds directly to the authorization phase (where the cluster examines the token’s claims). If the token is rejected/unauthorized, then the server falls back to prompting the client for a certificate. This dual-mode ‘authentication’ is only supported on Windows.
Hope this helps.
Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.