Home » Cybersecurity » Cloud Security » How to Manage Certificates Using Azure Active Directory (AD)

How to Manage Certificates Using Azure Active Directory (AD)

Many Azure customers run credential-based networks with PEAP-MSCHAPv2 authentication. While that may be fine for some, credential-based authentication has major issues with security and user experience. Passwords are now a bad choice for authentication because modern cyber attacks can easily bypass them.

PEAP-MSCHAPv2 is a credential-based authentication protocol that relies on end users remembering a password to logon. There is a well-known vulnerability with PEAP’s encryption method, allowing hackers to decrypt packets and access login credentials. Credential-based authentication is also annoying for IT admins because of password-related support tickets.

AD to Azure AD cloud migration had major roadblocks, leaving Azure admins searching for an easy way to migrate. Unlike AD, there isn’t a straightforward solution for deploying 802.1x authentication on Azure AD.

Fortunately, certificates offer an easy way for network admins to migrate efficiently to the cloud, easily deploy 802.1x, and safely grant network access to end users. Certificates can eliminate over-the-air credential theft because they’re nearly impossible to decrypt. Even if someone outside the network were to get their hands on a certificate, it would take them years to crack. Certificates can be configured for authentication with EAP-TLS, the most secure authentication protocol.

Network visibility is also a breeze with certificates because admins can map user attributes onto certificates so the device is easier to track on the network. Admins can learn exactly who is on the network, what they’re doing, and for how long.

How to Deploy Certificates in Azure AD

Many organizations have avoided deploying certificates because it seems too complicated to get a certificate onto every network device. That’s actually not the case if admins use onboarding software for BYODs and Gateway APIs, such as SCEP, for managed devices. Both of these systems allow admins to automate device configuration and certificate enrollment. Manually configuring each device for network access is a thing of the past.

A Public Key Infrastructure (PKI) is required to deploy certificates. Fortunately, SecureW2 offers one right out the box. Setup can be done in a matter of hours and admins don’t need to be certificate experts to set it up.

Generating Certificates for Azure Users with SecureW2

Below is a brief overview on how Azure customers can generate and deploy certificates. We’ll be using SecureW2’s Managed PKI services for our documentation.

1. Use SecureW2’s Getting Started Wizard to integrate Azure AD.
   • Our PKI services are completely turnkey. The Getting Started Wizards provides Azure AD admins with everything they need and setup can be done in a few hours.
2. Setup CA’s in SW2 Management Portal
   • CA’s serve as the central authority for certificates and where admins can determine what roles and policies will apply for their network.
3. Add Azure as IdP in SecureW2
   • Azure can be configured as the IdP in SecureW2’s management portal.
4. Go to Azure Management Portal to Configure the SAML IdP
   • Once complete, the RADIUS server will be able to authenticate devices against Azure AD.
5. Configure Attribute Mapping
   • Admins can map attributes to certificates so they’ll have an easier time seeing who’s on the network.
6. Configure network policies to be distributed
   • Once devices are properly configured, they can start requesting certificates

Managing Certificates on Azure AD

Below, we’ve listed a few features of certificate-based networks and how they simplify network management.

Certificate Templates for Azure AD

Certificate templates are designed for IT admins to set the guidelines for network access. After configuring group policies, admins can customize specific certificate templates to issue to each network group. Once this is set up, when a network device requests a certificate, the CA is able to determine what type of certificate the device is allowed to have based on the end user’s permissions.

Certificate templates are also used to configure access for VPNs, Wi-Fi, and web apps. The ability to configure VPN access is particularly relevant since millions of users are working remotely during the current Covid-19 pandemic.

Attribute Mapping on Azure AD

Attribute mapping is incredibly helpful for creating custom certificates and network policies because it allows admins to map user details to a certificate. That helps the RADIUS server better determine what a device is authorized to access when signing on to the network.

Azure AD CRL

A certificate revocation list (CRL) is a security measure that allows RADIUS servers to view all the certificates revoked by the CA. The RADIUS server periodically downloads the list and checks it every time a device requests access. If a device is lost or stolen and still equipped with a certificate, revoking the certificate and placing it on the CRL will ensure that specific device will not be allowed network access.

There are two types of CRLs and the difference lies in how often they update. The Base CRL updates weekly and the Delta CRL daily. However, the Delta CRL can be configured to update every 15 minutes to enhance security, a feature possible with SecureW2.

Managed Device Gateways

IT professionals know how monotonous it is to manually configure every device for network access – and how risky it is to leave manual configuration up to the end user. Luckily, integrating powerful gateway APIs onto the network makes it easy for admins to send out configuration payloads to every managed device.

For Azure AD customers, SecureW2 allows admins to build a SCEP gateway they can then use to push out configuration policies. Once the configuration policy makes it to the device, the device will then automatically request a certificate. This removes the end user entirely from the process and is much faster than manually configuring each device.

If your Azure environment contains Microsoft Intune, check out our guide on integrating SCEP to enroll certificates on Intune.

Identity Lookup on Azure AD

Many IT admins have issues identifying who is on the network, especially admins with MDMs that won’t allow emails to be input into RFC on certificate templates. That’s why SecureW2 offers industry-unique Identity Lookup integration to quickly find certificates and identify the user device.

Integrating Azure AD with Cloud RADIUS and SecureW2’s Onboarding Software

Integrating SecureW2’s Cloud RADIUS with Azure AD is simple because Cloud RADIUS already comes with a Managed PKI and EAP-TLS authentication. Click here to see how easy it is to integrate Azure AD and Cloud RADIUS.

SecureW2’s onboarding software simplifies both the onboarding process for both BYODs and managed devices. With the JoinNow Suite, BYOD end users can sign on to the network in just a few clicks. Our Gateway APIs can be configured to provision every device with a certificate, completely eliminating the need for manual configuration.

Deploying certificates to your network increases security and relieves the IT department from time spent configuring each device manually. Integrating Cloud RADIUS and SecureW2’s onboarding software streamlines the device authentication process and ensures all devices are equipped with a certificate and easily visible on the network. All of this comes at an affordable cost, click here for pricing.

The post How to Manage Certificates Using Azure Active Directory (AD) appeared first on SecureW2.

Recent Articles By Author

• Preventing Man-in-the-middle (MITM) Attacks: The Ultimate Guide
• The Best Way to Manage Microsoft Certificates
• Active Directory Certificate Services (AD CS): Explained

More from Samuel Metzler

*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Samuel Metzler. Read the original post at: https://www.securew2.com/blog/manage-certificates-azure-active-directory-ad/