Configuring Certificate-Based Authentication in Azure for Office 365: Workspace ONE Operational Tutorial
Overview
Introduction
VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configure certificate-based authentication in MS Azure for MS Office 365 applications. Procedures include configuring a certificate request template in VMware Workspace ONE® UEM, configuring VMware Workspace ONE® Boxer for certificate-based authentication in Exchange Online, and testing the configurations.
Audience
This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.
Knowledge of additional technologies such as network, VPN configuration, VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.
Configure Certificate-Based Authentication in Azure for Office 365
Introduction
Certificate-based authentication for Microsoft Office 365 provides employees seamless access to email and other resources. Relying on client certificates simplifies authentication by eliminating the need for employee username and password combinations. Pairing certificate-based authentication for Office 365 with VMware Workspace ONE streamlines access for Windows, Android, and iOS devices.
This exercise helps you to configure certificate-based authentication in Azure for MS Office 365. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.
Benefits of Certificate-Based Authentication
The benefits of certificate-based authentication are as follows.
- Eliminate Brute-Force Threats – Certificate authentication replaces basic and NT LAN Manager (NTLM) authentication, eliminating the threat of password hack attacks.
- Ensure Device Compliance – Only compliant devices receive valid certificates. Therefore, requiring a valid certificate ensures the requesting device enrolled with Workspace ONE and meets the defined corporate policies.
- Manage the Certificate Lifecycle – Automate and control the request, revoke and renewal phases of the client certificate lifecycle.
- Integrate with Public Key Infrastructure (PKI) & Managed PKI Infrastructure – Workspace ONE uses a dedicated certificate authority (CA) and certificate to avoid conflicts with an organization’s other certificate deployments.
- Enforce Managed Credential Access to BYOD Devices – Workspace ONE UEM can provision managed certificates to Workspace ONE Boxer in a BYOD scenario. This allows end users the flexibility to access corporate email in a secure container without the need to enroll their device into the organization.
- Deploy Workspace ONE Boxer in conjunction with Azure Conditional Access – Azure Certificate-Based Authentication allows administrators to deploy Workspace ONE Boxer as an email client for Exchange Online in scenarios where approved client applications are required.
Prerequisites
Before you can perform the procedures in this tutorial, ensure the following components are installed and configured. For more information, see the VMware Workspace ONE UEM Documentation.
- Workspace ONE UEM tenant integrated with enterprise CA
- Workspace ONE UEM tenant integrated with PKI/MPKI infrastructure
- Office 365 domain federated with Workspace ONE
- Access to root and intermediate (if applicable) certificates for the issuing CA
- Internet-facing URLs (reachable by Azure) where the Certificate Revocation Lists (CRLs) for the issuing CA
- Global admin access to Office 365 tenant
- Windows PowerShell 2.0 or later
- Azure AD Module for PowerShell 2.0.0.33 or later
- Exchange ActiveSync client that supports certificate-based authentication
Configuring Certificate-Based Authentication in Azure
In this activity, install the AzureAD
module in PowerShell and configure certificate-based authentication in Azure. Ensure you are logged into a machine that has permissions to access Azure AD.
Run PowerShell as Administrator

- From the start menu, select Windows PowerShell.
- Select Run as administrator.
Install AzureAD PowerShell Module

- Run the following command in PowerShell to install the
AzureAD
module.
Install-Module AzureAD
- At the prompt, enter
a
.
Connect to AzureAD Using PowerShell


1. Run the following command to connect to your Azure AD tenant from PowerShell.
Connect-AzureAD
2. At the prompt, enter administrator credentials to authenticate into your Azure AD tenant.
This user requires Global Administrator role.
Copy Certificate Chain to PowerShell Variable

Run the following command to copy the certificate chain of your CA's root and intermediate certificates (if applicable):
Replace <Location of the CER File>
to include the file path where your certificate files are stored.
$cert=Get-Content -Encoding byte "<Location of the CER file>"
Create AzureAD CA Object Variable

Run the following command to create a new variable of AzureAD CA
type and add the previously copied certificate chain(s):
$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$new_ca.AuthorityType=0
$new_ca.TrustedCertificate=$cert
Note: When you add intermediate certificates to the chain, change the Authority Type
value to 1, 2... accordingly.
Configure CA CRL Endpoint in Azure CA Object

Run the following command to modify the AzureAD CA object to add a CRL endpoint for the issuing CA:
Replace <CRL Distribution URL>
with the public facing URL of the CRL endpoint for the issuing CA.
$new_ca.crlDistributionPoint="<CRL Distribution URL>"
Note: The URL must be resolvable and the CRL endpoint accessible by Azure.
Configure Azure AD Trusted CA

Run the following command to configure the trusted CA in Azure using the previously created AzureAD object:
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
Validate Trusted CA is Configured in Azure

Run the following command to validate that the new trusted CA has been configured within your Azure AD tenant:
Get-AzureADTrustedCertificateAuthority
Logging In to the Workspace ONE UEM Console
To deploy a 3rd party macOS app, you must first log in to the Workspace ONE UEM Console.
1. Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.
3. Authenticate In to the Workspace ONE UEM Console

- Enter your Username, for example,
administrator
. - Click Next. After you click Next, the Password text box is displayed.

- Enter your Password, for example,
VMware1!
- Click Login.
Note: If you see a Captcha, be aware that it is case sensitive.
Configuring a Certificate Request Template in Workspace ONE UEM
After you have configured certification authentication in Azure, you are ready to configure the certificate request template in Workspace ONE UEM.
Add New Certificate Request Template

- Click System.
- Click Enterprise Integration.
- Click Certificate Authorities.
- Select Request Templates.
- Click Add.
Configure Certificate Request Template

- Enter a name for the new certificate request template. For example,
MobileUser
. - Select the configured certificate authority from the drop-down menu. For example,
Cake CA
. - For Subject Name, click the + icon and select {EnrollmentUser} from the drop-down menu. The value displayed should be CN={EnrollmentUser}.
- Select Email Address from the SAN Type drop-down menu.
- Select {EmailAddress} from the Lookup value drop-down menu.
- Click Add and select User Principal Name from the SAN Type drop-down menu.
- Select {UserPrincipalName} from the Lookup value drop-down menu.
- Click Save.
Configuring Workspace ONE Boxer for Certificate-Based Authentication with Exchange Online
After you have configured the certificate request template in Workspace ONE UEM, you are ready to add Workspace ONE Boxer in Workspace ONE UEM and configure the app for certificate-based authentication with Exchange Online.
Add New Public Application

In the Workspace ONE UEM console:
- Click Add.
- Click Public Application.
Search for Workspace ONE Boxer

- Select Apple iOS from the Platform drop-down menu.
- Enter
Workspace ONE Boxer
in the Name text box. - Click Next.
Select Workspace ONE Boxer

Click Select to select the Boxer - Workspace ONE application.
Save and Assign Workspace ONE Boxer

Click Save & Assign.
Add New Assignment

Click Add Assignment to create a new assignment configuration.
Select Smart Group Assignment

- Select a Smart Group from the Select Assignment Group drop-down menu. For example,
All Devices
. - Select Auto as the App Delivery Method.
Configure Email Account Settings

- Enter a name for Account Name. For example,
Exchange Online
. - Enter the Exchange Online ActiveSync host address. For example,
outlook.office365.com.
- Enter
{EmailDomain}
as the Domain value. - Enter
{EmailAddress}
as the User value. - Enter
{EmailAddress}
as the Email Address value. - Click More Email Settings.
Configure Email Account Authentication Settings

- Select your issuing certificate authority from the Certificate Authority drop-down menu. For example,
Cake CA
. - Select the certificate template created for this configuration from the Certificate Template drop-down menu. For example,
MobileUser
.
Finalize Configuration

Click Add.
Save and Publish Application Assignment

Click Save & Publish.
Review Device Assignment and Publish Configuration

Click Publish.
Testing Certificate-Based Authentication to Office 365 Applications
After certificate-based authentication has been configured, you can test authentication to your Office 365 apps. In this activity, you log in to Workspace ONE and launch your Office 365 apps using certificate-based authentication; that is, without entering user credentials a second time.
1. Log In to Workspace ONE

Navigate to your Workspace ONE UEM tenant and enter the domain credentials for your test user.
- Enter the username. For example,
user
. - Enter the password. For example,
VMware1!
. - Click Sign in.
2. Open Office 365 App

Click any Office 365 app to open. The app should launch without requiring credentials.
3. Confirm the Prompt to Use Certificate (Optional)

Click Continue to allow to use the client certificate and your application should start without requiring any username or password.
Summary and Additional Resources
Conclusion
This operational tutorial provided steps to configure certificate-based authentication in Azure for Office 365 applications.
Procedures included:
- Configuring Certificate-Based Authentication in Azure
- Configuring a Certificate Request Template in Workspace ONE UEM
- Configuring Workspace ONE Boxer for Certificate-Based Authentication with Exchange Online
- Testing Certificate-Based Authentication to Office 365 Applications
Additional Resources
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
About the Authors
This tutorial was written by:
- Shardul Navare, Senior Technical Marketing Architect, End-User Computing, VMware
- Camilo Lotero, Senior Solutions Engineer, End-User-Computing Identity & Access Management, VMware
Feedback
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.
Appendix: Creating Authentication Fallback Policy
Creating Authentication Fallback Policy in Federation Provider
Configuring certificate authentication within Azure should be considered optional from Exchange Online's perspective. If the client application cannot present a valid certificate during authentication, Exchange Online falls back to the configured, federation provider as part of the WS-federation active flow.
Log in to the Workspace ONE Access administration console to perform these steps.
Add New Policy

- Select Identity and Access Management.
- Select Policies.
- Click Add Policy.
Name the New Access Policy


- Enter a policy name. For example,
Authentication Fallback
. - Click Next.
Add a New Policy Rule

Click Add Policy Rule.
Configure Policy Rule

If you want to block client applications from authentication using basic credentials (username/password), you must create a policy within the federation provider for Exchange Online to block. The screenshot shows an example of this policy where Office 365 is federated with Workspace ONE Access and incoming ActiveSync active client requests are blocked.