Introducing More Granular Certificate-Based Authentication Configuration in Conditional Access

I'm thrilled to announce the public preview of advanced -based (CBA) options in Conditional Access, which provides the ability to allow access to specific resources based on the Issuer or Policy Object Identifiers (OIDs) properties. 

Our customers, particularly those in highly regulated industries and government, have expressed the need for more flexibility in their CBA configurations. Using the same for all federated applications is not always sufficient. Some resources may require access with a certificate issued by specific issuers, while other resources require access based on a specific policy OIDs. 

For instance, a company like Contoso may issue three different types of multifactor certificates via Smart Cards to employees, each distinguished by properties such as Policy OID or issuer. These certificates may correspond to different levels of security clearance, such as Confidential, Secret, or Top Secret. Contoso needs to ensure that only users with the appropriate multifactor certificate can access data of the corresponding classification. 

Figure 1: Authentication strength - advanced CBA optionsFigure 1: strength – advanced CBA options

With the authentication strength capability in Conditional Access, customers can now create a custom authentication strength policy, with advanced CBA options to allow access based on certificate issuer or policy OIDs. For external users whose multifactor authentication () is trusted from partners' tenant, access can also be restricted based on these properties. 

This adds flexibility to CBA, in addition to the recent updates we shared in December. We remain committed to enhancing -resistant authentication to all our customers and helping US Gov customers meet Executive Order 14028 on Improving the Nation's Cybersecurity. 

To learn more about this new capability check authentication strength advanced options

Thanks, and let us know what you think! 

Alex Weinert

Learn more about Microsoft Entra: 


This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.