On-premises Exchange environments support the ability for certain mobile apps to utilize certificate-based authentication (CBA). Today, we are pleased to announce that CBA is available in preview for customers using Office 365 Enterprise, Business, and Education plans. This feature is available in Outlook for Android and Exchange ActiveSync (EAS) protocol. Support for Outlook for iOS is coming soon.
What is certificate-based authentication?
CBA allows users to authenticate using a client certificate. The certificate is used in place of the user entering credentials into the device.
Why would I want certificate-based authentication?
By utilizing certificate-based authentication, administrators can allow their users to access resources without the need to enter credentials.
Prerequisites
The following are required to use CBA:
- Access to a certification authority (CA) to issue client certificates.
- Each CA must have a certificate revocation list (CRL) that can be referenced via an Internet-facing URL.
- Client certificates must be provisioned on mobile devices, typically done using MDM.
- For EAS clients, the RFC822 Name OR Principal Name value in the certificate’s Subject Alternative Name field must have the user’s email address.
![EHLO-CBACert]()
Figure 1: Client certificate with email address in RFC822 Name and Principal Name values in the SAN field
Using certificate-based authentication
Configuration in Azure Active Directory is required to use certificate-based authentication. All certificate authorities (and their associated CRL URLs) must be uploaded to Azure Active Directory. More information on getting started with CBA can be found in Get started with certificate-based authentication on iOS – Public Preview.
Certificate-based authentication in Outlook for iOS/Android
Currently, certificate-based authentication is only supported in Outlook for Android on Android Lollipop 5.0 and above. Support in Outlook for iOS is coming soon.
A federation server that is configured to perform certificate-based user authentication is also required when using Outlook for Android.
Certificate-based authentication in Exchange ActiveSync applications
Certain EAS applications may support certificate-based authentication. To determine if your application supports CBA, contact the application developer. Preview documentation on how EAS applications can support CBA can be found in Microsoft Exchange protocol documentation.
Program Manager
Office 365