Today I want to build upon the last post surrounding Intune and certificate services. Once we get the certificates onto the devices the next step is to configure our services to accept certs as a form of authentication.
I want to talk about configuring Exchange Online in this post and some caveats when setting that up.
Per usual I dont want to spell out a guide for everyone. Those can be found in a multitude of places. There is a good one here.
https://blogs.technet.microsoft.com/messagingblogs/2017/02/16/certificate-based-authentication-o365/
What I do want to talk about are some of the gaps that this guide didnt cover.
First thing is the intermediary. In a best practice PKI deployment you should have a Root and an Int certificate. I would publish both certificates and CRLs to Azure AD using the guide above. When you deploy the Int cert be sure you change the powershell from this
Get-AzureADTrustedCertificateAuthority
$Cert=Get-Content -Encoding byte "Location of Root CA CER file"
$New_CA=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$New_CA.AuthorityType=0
$New_CA.TrustedCertificate=$Cert
$New_CA.crlDistributionPoint="CRL Distribution URL"
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $New_CA
To this "$New_CA.AuthorityType=1" this will specify the cert we upload as the Int.
I reccomend putting the Int cert on the devices we deploy as well as accepting it for authentication in AzureAD
The next little gotcha they don't mention is that ADFS certificate based auth goes over a different port. It goes over port 49443 so make sure you aren't blocking that port coming into the WAPS.
And last but not least make sure that you configure ADFS to accept cert based auth. In ADFS 2016 its a little checkbox under authentication types.
