This article addresses frequently asked questions about how Microsoft Entra certificate-based authentication (CBA) works. Check back for updated content.
Why don't I see an option to sign in to Microsoft Entra ID by using certificates after I enter my username?
An administrator must turn on CBA for the tenant to make the option to sign in by using a certificate available to users. For more information, see Step 3: Configure the authentication binding policy.
Where can I get more diagnostic information after a user sign-in fails?
On the error page, select More Details for more information to help your tenant admin. The tenant admin can check the sign-in logs to investigate the error. For example, if a user certificate is revoked and is on the certification revocation list (CRL), authentication fails as intended.
How do we turn on Microsoft Entra CBA?
- Sign in to the Microsoft Entra admin center with at least the Authentication Policy Administrator role assigned.
- Go to Entra ID > Authentication methods > Policies.
- Select the Certificate-based authentication policy.
- On the Enable and Target tab, select Enable.
Is Microsoft Entra CBA a free feature?
Microsoft Entra CBA is a free feature.
Every edition of Microsoft Entra ID includes Microsoft Entra CBA.
For more information about features in each Microsoft Entra edition, see Microsoft Entra pricing.
Does Microsoft Entra CBA support an alternate ID as the username instead of userPrincipalName?
No. Currently, sign-in by using a non-UPN value, such as an alternate email, isn't supported.
Can I have more than one CRL distribution point for a certificate authority?
No, only one CRL distribution point (CDP) is supported per certificate authority (CA).
Can I use a non-HTTP URL for a CDP?
No. CDP supports only HTTP URLs.
How do I find the CRL for a CA, or how do I troubleshoot the error "AADSTS2205015: The Certificate Revocation List (CRL) failed signature validation"?
Download the CRL and compare the CA certificate and the CRL information to validate that the crlDistributionPoint value is valid for the CA you want to add. You can configure the CRL to the corresponding CA by matching the CA's issuer subject key identifier (SKI) to the authority key identifier (AKI) of the CRL (CA Issuer SKI == CRL AKI).
The following table and figure show how to map information from the CA certificate to the attributes of the downloaded CRL.
| CA certificate info | = | Downloaded CRL info |
|---|---|---|
| Subject | = | Issuer |
| Subject Key Identifier (SKI) | = | Authority Key Identifier (KeyID) |
How do I validate the CA configuration?
It's important to ensure that the CA configuration in the trust store results in Microsoft Entra being able to validate the CA trust chain. Also, it should successfully acquire the CRL from the configured CA CDP. To assist with this task, we recommend that you install the MSIdentity Tools PowerShell module and run Test-MsIdCBATrustStoreConfiguration.
The PowerShell cmdlet reviews the Microsoft Entra tenant CA configuration and surfaces errors and warnings for common configuration issues.
How do I turn on certificate revocation checking for a specific CA?
We highly recommend that you don't turn off CRL checking. If you turn off CRL checking, you can't revoke certificates.
However, if you need to investigate issues with CRL checking, you can exempt a CA from CRL checking in the Microsoft Entra admin center.
In the CBA authentication methods policy, select Configure > Add exemption. Select the CA that you want to exempt, and then select Add.
Do CRLs have a size limit?
The following CRL size limits apply:
- Interactive sign-in download limit: 20 MB for Azure Global (includes Azure Government Community Cloud), 45 MB for Azure for US Government (includes Azure Government Community Cloud High, Department of Defense)
- Service download limit: 65 MB for Azure Global (includes Azure Government Community Cloud), 150 MB for Azure for US Government (includes Azure Government Community Cloud High, Department of Defense)
When a CRL download fails, the following message appears:
"The Certificate Revocation List (CRL) downloaded from <URI> has exceeded the maximum allowed size (<size> bytes) for CRLs in Microsoft Entra ID. Try again in few minutes. If the issue persists, contact your tenant administrators."
The download remains in the background, with higher limits.
We're reviewing the effect of these limits.
I see a valid CRL endpoint set, but why don't I see any CRL revocation?
- Make sure that the CRL distribution point is set to a valid HTTP URL.
- Make sure that the CRL distribution point is accessible via an internet-facing URL.
- Make sure that the CRL sizes are within limits.
How do I instantly revoke a certificate?
Complete the steps to manually revoke a certificate.
Do changes to the authentication methods policy take effect immediately?
The policy is cached. After a policy update, it might take up to an hour for the changes to take effect.
Why do I see the CBA option after it fails?
The authentication method policy always shows all available authentication methods to the user so that they can retry sign-in by using any method they prefer.
Microsoft Entra ID doesn't hide available methods based on the success or failure of a sign-in.
Why does CBA loop after it fails?
The browser caches the certificate after the certificate picker appears. If the user retries authentication, the cached certificate is automatically used. The user should close the browser, and then reopen a new session to try CBA again.
Why doesn't identity proof to register other authentication methods appear as an option when I use single-factor certificates?
A user is considered capable of multifactor authentication (MFA) when the user is in scope for CBA in the authentication methods policy. This policy requirement means that a user can't use identity proof as part of their authentication to register other available methods.
How can I use single-factor certificates to complete MFA?
We support single-factor CBA to get MFA. CBA single-factor with passwordless phone sign-in and CBA single-factor with FIDO2 are the two supported combinations to get MFA by using single-factor certificates.
For more information, see MFA with single-factor certificates.
The certificateUserIds update fails because it's an existing value. How can an admin query all the user objects that have the same value?
Tenant admins can run Microsoft Graph queries to find all the users that have a specific certificateUserIds value. For more information, see certificateUserIds Graph queries.
For example, this command returns all user objects that have the value bob@contoso.com in certificateUserIds:
GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds/any(x:x eq 'bob@contoso.com')
After a CRL endpoint is configured, users can't sign in. They see the message "AADSTS500173: Unable to download CRL. Invalid status code Forbidden from CRL distribution point. errorCode: 500173."
This error commonly is seen when a firewall rule setting blocks access to the CRL endpoint.
Can Microsoft Entra CBA be used on Microsoft Surface Hub?
Yes. CBA works out-of-the-box for most combinations of smart card and smart card reader. If the combination smart card and smart card reader requires other drivers, you must install the drivers before you can use the combination smart card and smart card reader on Surface Hub.
Related content
If your question isn't answered here, see the following related articles: