Configuring Certificate-Based Authentication in Azure for Office 365: Workspace ONE Operational Tutorial

The benefits of certificate-based authentication are as follows.

• Eliminate Brute-Force Threats – Certificate authentication replaces basic and NT LAN Manager (NTLM) authentication, eliminating the threat of password hack attacks.
• Ensure Device Compliance – Only compliant devices receive valid certificates. Therefore, requiring a valid certificate ensures the requesting device enrolled with Workspace ONE and meets the defined corporate policies.
• Manage the Certificate Lifecycle – Automate and control the request, revoke and renewal phases of the client certificate lifecycle.
• Integrate with Public Key Infrastructure (PKI) & Managed PKI Infrastructure – Workspace ONE uses a dedicated certificate authority (CA) and certificate to avoid conflicts with an organization’s other certificate deployments.
• Enforce Managed Credential Access to BYOD Devices – Workspace ONE UEM can provision managed certificates to Workspace ONE Boxer in a BYOD scenario. This allows end users the flexibility to access corporate email in a secure container without the need to enroll their device into the organization.
• Deploy Workspace ONE Boxer in conjunction with Azure Conditional Access – Azure Certificate-Based Authentication allows administrators to deploy Workspace ONE Boxer as an email client for Exchange Online in scenarios where approved client applications are required.

1. From the start menu, select Windows PowerShell.
2. Select Run as administrator.

1. Run the following command in PowerShell to install the AzureAD module.

2. At the prompt, enter a.

1. Run the following command to connect to your Azure AD tenant from PowerShell.

2. At the prompt, enter administrator credentials to authenticate into your Azure AD tenant.

This user requires Global Administrator role.

Run the following command to copy the certificate chain of your CA's root and intermediate certificates (if applicable):

Replace <Location of the CER File> to include the file path where your certificate files are stored.

Run the following command to create a new variable of AzureAD CA type and add the previously copied certificate chain(s):

Note: When you add intermediate certificates to the chain, change the Authority Type value to 1, 2... accordingly.

Run the following command to modify the AzureAD CA object to add a CRL endpoint for the issuing CA:

Replace <CRL Distribution URL> with the public facing URL of the CRL endpoint for the issuing CA.

Note: The URL must be resolvable and the CRL endpoint accessible by Azure.

Run the following command to configure the trusted CA in Azure using the previously created AzureAD object:

Run the following command to validate that the new trusted CA has been configured within your Azure AD tenant:

On your desktop, double-click the Google Chrome icon.

For example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.

1. Enter your Username, for example, administrator.
2. Click Next. After you click Next, the Password text box is displayed.

1. Enter your Password, for example, VMware1!
2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

In the Workspace ONE UEM console:

1. Click Groups & Settings.
2. Click All Settings.

1. Click System.
2. Click Enterprise Integration.
3. Click Certificate Authorities.
4. Select Request Templates.
5. Click Add.

1. Enter a name for the new certificate request template. For example, MobileUser.
2. Select the configured certificate authority from the drop-down menu. For example, Cake CA.
3. For Subject Name, click the + icon and select {EnrollmentUser} from the drop-down menu. The value displayed should be CN={EnrollmentUser}.
4. Select Email Address from the SAN Type drop-down menu.
5. Select {EmailAddress} from the Lookup value drop-down menu.
6. Click Add and select User Principal Name from the SAN Type drop-down menu.
7. Select {UserPrincipalName} from the Lookup value drop-down menu.
8. Click Save.

In the Workspace ONE UEM console:

1. Click Add.
2. Click Public Application.

1. Select Apple iOS from the Platform drop-down menu.
2. Enter Workspace ONE Boxer in the Name text box.
3. Click Next.

Click Select to select the Boxer - Workspace ONE application.

Click Save & Assign.

Click Add Assignment to create a new assignment configuration.

1. Select a Smart Group from the Select Assignment Group drop-down menu. For example, All Devices.
2. Select Auto as the App Delivery Method.

1. Enter a name for Account Name. For example, Exchange Online.
2. Enter the Exchange Online ActiveSync host address. For example, outlook.office365.com.
3. Enter {EmailDomain} as the Domain value.
4. Enter {EmailAddress} as the User value.
5. Enter {EmailAddress} as the Email Address value.
6. Click More Email Settings.

1. Select your issuing certificate authority from the Certificate Authority drop-down menu. For example, Cake CA.
2. Select the certificate template created for this configuration from the Certificate Template drop-down menu. For example, MobileUser.

Click Add.

Click Save & Publish.

Click Publish.

Click any Office 365 app to open. The app should launch without requiring credentials.

Click Continue to allow to use the client certificate and your application should start without requiring any username or password.

1. Select Identity and Access Management.
2. Select Policies.
3. Click Add Policy.

1. Enter a policy name. For example, Authentication Fallback.
2. Click Next.

Click Add Policy Rule.