windows logon with CBA

testuser7 271 Reputation points
2024-04-19T15:28:15.6666667+00:00

Hello,

As we know, we can do windows device logon with "Certificate based authentication" Microsoft Entra users can authenticate using X.509 certificates on their smart cards directly against Microsoft Entra ID at Windows sign-in.

To be precise about above statement

Does that mean that I have to use only physical smart-cards (CAC, PIV, yubikey) for windows logon ??

OR

Can the virtual smart-card (cert in TPM, cert in user's personal file store ) be also usable for windows logon ??

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,547 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 640 Reputation points Microsoft Employee
    2024-04-19T23:36:04.1833333+00:00

    Hi @testuser7

    Thanks for reaching out to Microsoft Q&A.

    You can use either virtual or physical smart cards, there's no limitation on this regard.

    The documentation below has more details about Windows smart card sign-in using Microsoft Entra certificate-based authentication and it also has information about the user experience, prerequisites and caveats:

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication-smartcard

    Let me know if you have further questions.

    Thanks,

    Fabio

    0 comments
  2. testuser7 271 Reputation points
    2024-04-20T14:15:07.48+00:00

    Thanks @Fabio Andrade

    So as you said, we can use virtual smart-card (cert in TPM, cert in user's personal file store ) for Windows logon.

    So let's say there is AAD-joined windows laptop where previously two AAD-users had logged in and managed to obtain and store their own personal-certs in their respective personal file store.

    Let's say user1 got Certs C1 & C2 and user2 got Certs C3 & C4

    Now if I reboot the machine and from the lock-screen when I click smart-card icon,   I believe I will be shown following certificate-picker  to pick one of the certs and enter its PIN to unlock the device.

    My question is,   how is it decided which user's  personal certificates to be shown ??

    Remember there is NO need to put any UPN.

    User's image

    Thanks.

    0 comments
  3. testuser7 271 Reputation points
    2024-04-22T15:07:54.64+00:00

    @Fabio Andrade Any update ?? is this possible ?

    0 comments
  4. Fabio Andrade 640 Reputation points Microsoft Employee
    2024-04-22T23:23:41.75+00:00

    Hi @testuser7

    The Windows OS will exhibit a list of client sign in certificates available on the device. The document below explains how it works on the Windows side:

    https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration#smart-card-sign-in-flow

    User's image

    Just remember that the users must be in the scope of Cert Based Authentication on Entra ID and also, even though the user is required to type its UPN at windows sign in page, UPN is the attribute to be sent to Entra ID, so it must be in the certificate like the document below states, otherwise the user might be prompted to provide an UPN:

    User's image

    Let me know if you have further questions.

    Thanks,

    Fabio

    0 comments
  5. Fabio Andrade 640 Reputation points Microsoft Employee
    2024-04-29T22:51:06.8633333+00:00

    Hi @testuser7

    I just wanted to check in and see if you had any other questions or if you were able to resolve your issue.

    If you have any other questions, please let me know.

    Thanks,

    Fabio

    0 comments