Azure Active Directory certificate-based authentication on iOS

Certificate-based authentication (CBA) enables you to be authenticated by Azure Active Directory with a client certificate on a Windows, Android or iOS device when connecting your Exchange online account to:

  • Office mobile applications such as Microsoft Outlook and Microsoft Word
  • Exchange ActiveSync (EAS) clients

Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

This topic provides you with the requirements and the supported scenarios for configuring CBA on an iOS device for users of tenants in Office 365 Enterprise, Business, Education, US Government and China plans.

This feature is available in preview in Office 365 US Government Defense and Federal plans.

Office mobile applications support

Apps Support
Word / Excel / PowerPoint Check
OneNote Check
OneDrive Check
Outlook Check
Yammer Check
Skype for Business Check
Microsoft Teams Check

Requirements

The device OS version must be iOS 9 and above

A federation server must be configured.

Microsoft Authenticator is required for Office applications on iOS.

For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:

  • http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>
    (The serial number of the client certificate)
  • http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>
    (The string for the issuer of the client certificate)

Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.

As a best practice, you should update the ADFS error pages with the following:

  • The requirement for installing the Microsoft Authenticator on iOS
  • Instructions on how to get a user certificate.

For more details, see Customizing the AD FS Sign-in Pages.

Some Office apps (with modern authentication enabled) send ‘prompt=login’ to Azure AD in their request. By default, Azure AD translates this in the request to ADFS to ‘wauth=usernamepassworduri’ (asks ADFS to do U/P auth) and ‘wfresh=0’ (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Just set the ‘PromptLoginBehavior’ in your federated domain settings to ‘Disabled‘. You can use the MSOLDomainFederationSettings cmdlet to perform this task:

Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled

Exchange ActiveSync clients support

On iOS 9 or later, the native iOS mail client is supported. For all other Exchange ActiveSync applications, to determine if this feature is supported, contact your application developer.

Next steps

If you want to configure certificate-based authentication in your environment, see Get started with certificate-based authentication on Android for instructions.