News
Microsoft changes direction on ADFS with preview of certificate-based authentication
Microsoft on Monday announced a public preview of certificate-based authentication (CBA) for Azure Active Directory.
The ABC preview likely spells the end of Microsoft’s Active Directory Federation Service (ADFS). ADFS is a Windows Server role typically used by organizations to federate with Azure AD service. Using a federated identity provider, such as ADFS, was previously a requirement for Azure AD authentications with X.509 certificates. However, ADFS will not be needed when CBA is used.
CBA allows organizations to authenticate to Azure AD using x.509 certificates without having to use a Federation Service.
“Azure AD CBA eliminates the need for federated AD FS, which helps simplify customer environments and reduce costs,” Microsoft said in an “Overview” document.
Organizations gain the following benefits by using CBA and Azure AD, according to the document:
- No need for complex on-premises deployments or network configuration.
- Authenticate directly to Azure AD.
- No overhead or management fees.
Additionally, CBA will be free with all Azure AD subscriptions, including free Azure AD accounts.
Anti-phishing compliance
Using Azure AD with CBA enables “phishing-resistant” authentications, allowing organizations to comply with the Biden administration’s recent Executive Order 14028, Microsoft argued. The order is directed to federal agency security practices.
The ABC preview is available to both public and government users. It will work with Privileged Identity Verification (PIV) and Common Access Card (CAC) “smart cards” that are typically used by government organizations for identity and access management.
End users encountering the Azure AD plus CBA combination are prompted to sign in with a certificate rather than a password. If an end user is not “in scope of CBA”, authentication will fail.
Did ADFS have any issues?
ADFS may have been too complex to use, and it was notably abused in spy attacks last year.
Microsoft may have developed CBA because of last year’s widespread espionage attacks by Russia-associated Nobelium Group (also known as “Solorigate”), which tapped into government and industry organizations. One avenue of these attacks was ADFS, which was used to generate Security Assertion Markup Language (SAML) tokens and access Exchange Online email traffic. This “golden SAML” approach allowed attackers to bypass multi-factor authentication and gain access to any federated application, according to a forensic analysis by security solutions company FireEye.
Shortly after the Nobelium attacks, Microsoft had suggested that organizations had just misconfigured ADFS, leading to the exploits. However, onlookers such as security solutions company CrowdStrike had outright described ADFS as having “architectural limitations”.
When I asked Alex Weinert, director of identity security at Microsoft, if ADFS was unsafe to use, he replied in the July 14 Twitter post that cloud authentication was a better security approach. If organizations were to use ADFS, however, they would also need to use a hardware security module (HSM) with it, as described in this Microsoft document, Weinert said at the time.