Configuring Certificate-Based Authentication in Azure for Office 365: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configure certificate-based authentication in MS Azure for MS Office 365 applications. Procedures include configuring a certificate request template in VMware Workspace ONE® UEM, configuring VMware Workspace ONE® Boxer for certificate-based authentication in Exchange Online, and testing the configurations.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by VMware AirWatch, is also helpful.

Configure Certificate-Based Authentication in Azure for Office 365

Introduction

Certificate-based authentication for Microsoft Office 365 provides employees seamless access to email and other resources. Relying on client certificates simplifies authentication by eliminating the need for employee username and password combinations. Pairing certificate-based authentication for Office 365 with VMware Workspace ONE streamlines access for Windows, Android, and iOS devices.

This exercise helps you to configure certificate-based authentication in Azure for MS Office 365. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Benefits of Certificate-Based Authentication

The benefits of certificate-based authentication are as follows.

  • Eliminate Brute-Force Threats – Certificate authentication replaces basic and NT LAN Manager (NTLM) authentication, eliminating the threat of password hack attacks.
  • Ensure Device Compliance – Only compliant devices receive valid certificates. Therefore, requiring a valid certificate ensures the requesting device enrolled with Workspace ONE and meets the defined corporate policies.
  • Manage the Certificate Lifecycle – Automate and control the request, revoke and renewal phases of the client certificate lifecycle.
  • Integrate with Public Key Infrastructure (PKI) & Managed PKI Infrastructure – Workspace ONE uses a dedicated certificate authority (CA) and certificate to avoid conflicts with an organization’s other certificate deployments.
  • Enforce Managed Credential Access to BYOD Devices – Workspace ONE UEM can provision managed certificates to Workspace ONE Boxer in a BYOD scenario. This allows end users the flexibility to access corporate email in a secure container without the need to enroll their device into the organization.
  • Deploy Workspace ONE Boxer in conjunction with Azure Conditional Access – Azure Certificate-Based Authentication allows administrators to deploy Workspace ONE Boxer as an email client for Exchange Online in scenarios where approved client applications are required.

Prerequisites

Before you can perform the procedures in this tutorial, ensure the following components are installed and configured. For more information, see the VMware Workspace ONE UEM Documentation.

Configuring Certificate-Based Authentication in Azure

In this activity, install the AzureAD module in PowerShell and configure certificate-based authentication in Azure. Ensure you are logged into a machine that has permissions to access Azure AD.

Run PowerShell as Administrator

  1. From the start menu, select Windows PowerShell.
  2. Select Run as administrator.

Install AzureAD PowerShell Module

  1. Run the following command in PowerShell to install the AzureAD module.
Install-Module AzureAD
  1. At the prompt, enter a.

Connect to AzureAD Using PowerShell

1. Run the following command to connect to your Azure AD tenant from PowerShell.

Connect-AzureAD

2. At the prompt, enter administrator credentials to authenticate into your Azure AD tenant.

This user requires Global Administrator role.

Copy Certificate Chain to PowerShell Variable

Run the following command to copy the certificate chain of your CA's root and intermediate certificates (if applicable):

Replace <Location of the CER File> to include the file path where your certificate files are stored.

$cert=Get-Content -Encoding byte "<Location of the CER file>"

Create AzureAD CA Object Variable

Run the following command to create a new variable of AzureAD CA type and add the previously copied certificate chain(s):

$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$new_ca.AuthorityType=0
$new_ca.TrustedCertificate=$cert

Note: When you add intermediate certificates to the chain, change the Authority Type value to 1, 2... accordingly.

Configure CA CRL Endpoint in Azure CA Object

Run the following command to modify the AzureAD CA object to add a CRL endpoint for the issuing CA:

Replace <CRL Distribution URL> with the public facing URL of the CRL endpoint for the issuing CA.

$new_ca.crlDistributionPoint="<CRL Distribution URL>"

Note: The URL must be resolvable and the CRL endpoint accessible by Azure.

Configure Azure AD Trusted CA

Run the following command to configure the trusted CA in Azure using the previously created AzureAD object:

New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca

Validate Trusted CA is Configured in Azure

Run the following command to validate that the new trusted CA has been configured within your Azure AD tenant:

Get-AzureADTrustedCertificateAuthority

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Configuring a Certificate Request Template in Workspace ONE UEM

After you have configured certification authentication in Azure, you are ready to configure the certificate request template in Workspace ONE UEM.

Add New Certificate Request Template

  1. Click System.
  2. Click Enterprise Integration.
  3. Click Certificate Authorities.
  4. Select Request Templates.
  5. Click Add.

Configure Certificate Request Template

  1. Enter a name for the new certificate request template. For example, MobileUser.
  2. Select the configured certificate authority from the drop-down menu. For example, Cake CA.
  3. For Subject Name, click the + icon and select {EnrollmentUser} from the drop-down menu. The value displayed should be CN={EnrollmentUser}.
  4. Select Email Address from the SAN Type drop-down menu.
  5. Select {EmailAddress} from the Lookup value drop-down menu.
  6. Click Add and select User Principal Name from the SAN Type drop-down menu.
  7. Select {UserPrincipalName} from the Lookup value drop-down menu.
  8. Click Save.

Configuring Workspace ONE Boxer for Certificate-Based Authentication with Exchange Online

After you have configured the certificate request template in Workspace ONE UEM, you are ready to add  Workspace ONE Boxer in Workspace ONE UEM and configure the app for certificate-based authentication with Exchange Online.

Add New Public Application

In the Workspace ONE UEM console:

  1. Click Add.
  2. Click Public Application.

Search for Workspace ONE Boxer

  1. Select Apple iOS from the Platform drop-down menu.
  2. Enter Workspace ONE Boxer in the Name text box.
  3. Click Next.

Select Workspace ONE Boxer

Click Select to select the Boxer - Workspace ONE application.

Save and Assign Workspace ONE Boxer

Click Save & Assign.

Add New Assignment

Click Add Assignment to create a new assignment configuration.

Select Smart Group Assignment

  1. Select a Smart Group from the Select Assignment Group drop-down menu. For example, All Devices.
  2. Select Auto as the App Delivery Method.

Configure Email Account Settings

  1. Enter a name for Account Name. For example, Exchange Online.
  2. Enter the Exchange Online ActiveSync host address. For example, outlook.office365.com.
  3. Enter {EmailDomain} as the Domain value.
  4. Enter {EmailAddress} as the User value.
  5. Enter {EmailAddress} as the Email Address value.
  6. Click More Email Settings.

Configure Email Account Authentication Settings

  1. Select your issuing certificate authority from the Certificate Authority drop-down menu. For example, Cake CA.
  2. Select the certificate template created for this configuration from the Certificate Template drop-down menu. For example, MobileUser.

Finalize Configuration

Click Add.

Save and Publish Application Assignment

Click Save & Publish.

Review Device Assignment and Publish Configuration

Click Publish.

Testing Certificate-Based Authentication to Office 365 Applications

After certificate-based authentication has been configured, you can test authentication to your Office 365 apps. In this activity, you log in to Workspace ONE and launch your Office 365 apps using certificate-based authentication; that is, without entering user credentials a second time.

1. Log In to Workspace ONE

Navigate to your Workspace ONE UEM tenant and enter the domain credentials for your test user.

  1. Enter the username. For example, user.
  2. Enter the password. For example, VMware1!.
  3. Click Sign in.

2. Open Office 365 App

Click any Office 365 app to open. The app should launch without requiring credentials.

3. Confirm the Prompt to Use Certificate (Optional)

Click Continue to allow to use the client certificate and your application should start without requiring any username or password.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to configure certificate-based authentication in Azure for Office 365 applications.

Procedures included:

  • Configuring Certificate-Based Authentication in Azure
  • Configuring a Certificate Request Template in Workspace ONE UEM
  • Configuring Workspace ONE Boxer for Certificate-Based Authentication with Exchange Online
  • Testing Certificate-Based Authentication to Office 365 Applications

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Authors

This tutorial was written by:

  • Shardul Navare, Senior Technical Marketing Architect, End-User Computing, VMware
  • Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Appendix: Creating Authentication Fallback Policy

Creating Authentication Fallback Policy in Federation Provider

Configuring certificate authentication within Azure should be considered optional from Exchange Online's perspective. If the client application cannot present a valid certificate during authentication, Exchange Online falls back to the configured, federation provider as part of the WS-federation active flow.

Log in to the VMware Identity Manager administration console to perform these steps.
 

Add New Policy

  1. Select Identity and Access Management.
  2. Select Policies.
  3. Click Add Policy.

Name the New Access Policy

  1. Enter a policy name. For example, Authentication Fallback.
  2. Click Next.

Add a New Policy Rule

Click Add Policy Rule.

Configure Policy Rule

If you want to block client applications from authentication using basic credentials (username/password), you must create a policy within the federation provider for Exchange Online to block. The screenshot shows an example of this policy where Office 365 is federated with VMware Identity Manager and incoming ActiveSync active client requests are blocked.