Currently, we support the ability for certain mobile applications to utilize certificate-based authentication (CBA) in Exchange on-premises environments. Today, we are pleased to announce that CBA is available in preview for customers using Office 365 Enterprise, Business, and Education plans. This feature is available to the Outlook for Android application as well as applications connecting over Exchange ActiveSync. Support for Outlook for iOS is coming soon.
What is certificate based authentication?
CBA allows users to authenticate using a client certificate to access resources. The certificate is used in place of the user entering credentials into the device.
Why would I want certificate-based authentication?
By utilizing certificate-based authentication, administrators can allow their users to access resources without the need to enter credentials.
Prerequisites
The following are required to use CBA:
- Access to one or more certificate authorities to issue client certificates.
- Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an Internet facing URL.
- User certificates must be provisioned on mobile devices, typically through the use of an MDM.
- For Exchange ActiveSync clients, the client certificate must have the user’s routable email address in Exchange online in either the RFC822 Name or Principal Name value in the Subject Alternative Name field of the certificate.
Using certificate-based authentication
Configuration in Azure Active Directory is required to use certificate-based authentication. All certificate authorities (and their associated CRL URLs) must be uploaded to Azure Active Directory. More information on getting started with CBA can be found on the Microsoft Azure site.
Certificate-based authentication on Outlook for iOS/Android applications
Currently, certificate-based authentication is only supported in the Outlook for Android application on Android versions Lollipop 5.0 and above. Support in the Outlook for iOS is coming soon.
A federation server that is configured to perform certificate based user authentication is also required when using the Outlook for Android.
Certificate-based authentication on Exchange ActiveSync applications
Certain Exchange ActiveSync applications may support certificate-based authentication. To determine if your application supports CBA, contact the application developer. Preview documentation on how EAS applications can support CBA can be found here.
Program Manager
Office 365