Merge pull request #6066 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 11/22

docs/identity/authentication/TOC.yml

@@ -189,6 +189,8 @@
             href: concept-certificate-based-authentication-technical-deep-dive.md
           - name: Configure Microsoft Entra CBA
             href: how-to-certificate-based-authentication.md
+          - name: Configure certificate authorities
+            href: how-to-configure-certificate-authorities.md
           - name: Windows smart card logon
             href: concept-certificate-based-authentication-smartcard.md
           - name: Apple devices

docs/identity/authentication/how-to-configure-certificate-authorities.md

@@ -0,0 +1,117 @@
+---
+title: How to configure certificate authorities for Microsoft Entra certificate-based authentication
+description: Topic that shows how to configure certificate authorities for Microsoft Entra certificate-based authentication.
+
+ms.service: entra-id
+ms.subservice: authentication
+ms.topic: how-to
+ms.date: 11/21/2024
+
+ms.author: justinha
+author: vimrang
+manager: amycolannino
+ms.reviewer: vraganathan
+ms.custom: has-adal-ref, has-azure-ad-ps-ref
+---
+# How to configure certificate authorities for Microsoft Entra certificate-based authentication
+
+The best way to configure the certificate authorities (CAs) is with the PKI-based trust store (Preview). You can delegate configuration with a PKI-based trust store to least privileged roles. For more information see, [Step 1: Configure the certificate authorities with PKI-based trust store (Preview)](how-to-certificate-based-authentication.md#step-1-configure-the-certificate-authorities-with-pki-based-trust-store-preview).
+
+As an alternative, a Global Administrator can follow steps in this topic to configure CAs by using the Microsoft Entra admin center, or Microsoft Graph REST APIs and the supported software development kits (SDKs), such as Microsoft Graph PowerShell. 
+The public key infrastructure (PKI) infrastructure or PKI admin should be able to provide the list of issuing CAs. 
+
+To make sure you configured all the CAs, open the user certificate and click **Certification path** tab. 
+Make sure every CA until the root is uploaded to the Microsoft Entra ID trust store. 
+Microsoft Entra certificate-based authentication (CBA) fails if there are missing CAs.
+
+### Configure certificate authorities using the Microsoft Entra admin center
+
+To configure certificate authorities to enable CBA in the Microsoft Entra admin center, complete the following steps:
+
+1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)]
+1. Browse to **Protection** > **Show more** > **Security Center** (or **Identity Secure Score**) > **Certificate authorities**.
+1. To upload a CA, select **Upload**: 
+   1. Select the CA file.
+   1. Select **Yes** if the CA is a root certificate, otherwise select **No**.
+   1. For **Certificate Revocation List URL**, set the internet-facing URL for the CA base CRL that contains all revoked certificates. If the URL isn't set, authentication with revoked certificates doesn't fail.
+   1. For **Delta Certificate Revocation List URL**, set the internet-facing URL for the CRL that contains all revoked certificates since the last base CRL was published.
+   1. Select **Add**.
+
+      :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/upload-certificate-authority.png" alt-text="Screenshot of how to upload certificate authority file.":::
+
+1. To delete a CA certificate, select the certificate and select **Delete**.
+1. Select **Columns** to add or delete columns.
+
+>[!NOTE]
+>Upload of a new CA fails if any existing CA expired. You should delete any expired CA, and retry to upload the new CA.
+>[!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)]
+
+### Configure certificate authorities (CA) using PowerShell
+
+Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can only be HTTP URLs. Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs aren't supported.
+
+[!INCLUDE [Configure certificate authorities](~/includes/entra-authentication-configure-certificate-authorities.md)]
+
+### Connect
+
+[!INCLUDE [Connect-AzureAD](~/includes/entra-authentication-connect.md)]
+
+### Retrieve
+
+[!INCLUDE [Get-AzureAD](~/includes/entra-authentication-get-trusted.md)]
+### Add
+
+>[!NOTE]
+>Upload of new CAs will fail when any of the existing CAs are expired. Tenant Admin should delete the expired CAs and then upload the new CA.
+
+Follow the preceding steps to add a CA in the Microsoft Entra admin center. 
+
+**AuthorityType**
+- Use 0 to indicate a Root certificate authority
+- Use 1 to indicate an Intermediate or Issuing certificate authority
+
+**crlDistributionPoint**
+
+Download the CRL and compare the CA certificate and the CRL information. Make sure the crlDistributionPoint value in the preceding PowerShell example is valid for the CA you want to add.
+
+The following table and graphic show how to map information from the CA certificate to the attributes of the downloaded CRL.
+
+| CA Certificate Info |= |Downloaded CRL Info|
+|----|:-:|----|
+|Subject |=|Issuer |
+|Subject Key Identifier |=|Authority Key Identifier (KeyID) |
+
+:::image type="content" border="false" source="./media/how-to-certificate-based-authentication/certificate-crl-compare.png" alt-text="Compare CA Certificate with CRL Information.":::
+
+>[!TIP]
+>The value for crlDistributionPoint in the preceding example is the http location for the CA’s Certificate Revocation List (CRL). This value can be found in a few places:
+>
+>- In the CRL Distribution Point (CDP) attribute of a certificate issued from the CA.
+>
+>If the issuing CA runs Windows Server:
+>
+>- On the [Properties](/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1#to-configure-the-cdp-and-aia-extensions-on-ca1)
+ of the CA in the certificate authority Microsoft Management Console (MMC).
+>- On the CA by running `certutil -cainfo cdp`. For more information, see [certutil](/windows-server/administration/windows-commands/certutil#-cainfo).
+
+For more information, see [Understanding the certificate revocation process](./concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-certificate-revocation-process).
+
+### Configure certificate authorities using the Microsoft Graph APIs
+
+Microsoft Graph APIs can be used to configure certificate authorities. To update the Microsoft Entra Certificate Authority trust store, follow the steps at [certificatebasedauthconfiguration MSGraph commands](/graph/api/resources/certificatebasedauthconfiguration).
+
+### Validate Certificate Authority configuration
+
+Make sure the configuration allows Microsoft Entra CBA to: 
+
+- Validate the CA trust chain
+- Get the certificate revocation list (CRL) from the configured certificate authority CRL distribution point (CDP) 
+
+To validate the CA configuration, install the [MSIdentity Tools](https://azuread.github.io/MSIdentityTools/) PowerShell module, and run [Test-MsIdCBATrustStoreConfiguration](https://github.com/AzureAD/MSIdentityTools/wiki/Test-MsIdCBATrustStoreConfiguration). 
+This PowerShell cmdlet reviews the Microsoft Entra tenant CA configuration. 
+It reports errors and warnings for common misconfigurations. 
+
+## Related content
+
+[How to configure Microsoft Entra certificate-based authentication](how-to-certificate-based-authentication.md)
+

docs/identity/role-based-access-control/permissions-reference.md

@@ -7,7 +7,7 @@ search.appverid: MET150
 ms.service: entra-id
 ms.subservice: role-based-access-control
 ms.topic: reference
-ms.date: 09/28/2024
+ms.date: 11/21/2024
 ms.author: rolyon
 ms.reviewer: abhijeetsinha
 ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
@@ -2167,9 +2167,10 @@ This is a [privileged role](privileged-roles-permissions.md). Assign the Privile
 
 - Set or reset any authentication method (including passwords) for any user, including Global Administrators.
 - Delete or restore any users, including Global Administrators. For more information, see [Who can perform sensitive actions](privileged-roles-permissions.md#who-can-perform-sensitive-actions).
-- Force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke **remember MFA on the device**, prompting for MFA on the next sign-in of all users.
+- Force users to re-register against existing non-password credential (such as MFA or FIDO2) and revoke **remember MFA on the device**, prompting for MFA on the next sign-in of all users.
 - Update sensitive properties for all users. For more information, see [Who can perform sensitive actions](privileged-roles-permissions.md#who-can-perform-sensitive-actions).
 - Create and manage support tickets in Azure and the Microsoft 365 admin center.
+- Configure certificate authorities with a PKI-based trust store (preview)
 
 Users with this role **cannot** do the following:
 

docs/standards/nist-authenticator-assurance-level-2.md

@@ -27,24 +27,24 @@ Before starting authenticator assurance level 2 (AAL2), you can see the followin
 
 The following table has authenticator types permitted for AAL2:
 
-| Microsoft Entra authentication method| NIST authenticator type |
-| - | - |
+| Microsoft Entra authentication method| Phishing Resistant | NIST authenticator type |
+| - | - | - |
 | **Recommended methods** |   |
-| Multi-factor Software Certificate (PIN Protected) <br> Windows Hello for Business with software Trusted Platform Module (TPM)| Multi-factor crypto software |
-| Hardware protected certificate (smartcard/security key/TPM) <br> FIDO 2 security key <br> Windows Hello for Business with hardware TPM | Multi-factor crypto hardware |
-|Microsoft Authenticator app (Passwordless)  | Multi-factor out-of-band
-| **Additional methods** |  |
-| Password <br> **AND** <br>- Microsoft Authenticator app (Push Notification) <br>- **OR** <br>- Microsoft Authenticator Lite (Push Notification) <br>- **OR** <br>- Phone (SMS) | Memorized secret <br>**AND**<br> Single-factor out-of-band |
-| Password <br> **AND** <br>- OATH hardware tokens (preview) <br>- **OR**<br>- Microsoft Authenticator app (OTP)<br>- **OR**<br>- Microsoft Authenticator Lite (OTP)<br>- **OR** <br>- OATH software tokens | Memorized secret <br>**AND** <br>Single-factor OTP|
-| Password <br>**AND** <br>- Single-factor software certificate <br>- **OR**<br>- Microsoft Entra joined  with software TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with software TPM  <br>- **OR**<br>- Compliant mobile device | Memorized secret <br>**AND**<br> Single-factor crypto software |
-| Password <br>**AND**<br>- Microsoft Entra joined with hardware TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with hardware TPM| Memorized secret <br>**AND**<br>Single-factor crypto hardware |
-
-> [!NOTE]
-> Today, Microsoft Authenticator by itself is not phishing resistant. To gain protection from external phishing threats when using Microsoft Authenticator you must additionally configure Conditional Access policy requiring a managed device.
+| Multi-factor software certificate <br> Windows Hello for Business with software Trusted Platform Module (TPM)| Yes | Multi-factor crypto software |
+| Multi-factor hardware protected certificate <br> FIDO 2 security key <br> Platform SSO for macOS (Secure Enclave) <br> Windows Hello for Business with hardware TPM <br> Passkey in Microsoft Authenticator | Yes |  Multi-factor crypto hardware |
+| **Additional methods** |  
+| Microsoft Authenticator app (Phone Sign-in)  | No | Multi-factor out-of-band|
+| Password <br> **AND** <br>- Microsoft Authenticator app (Push Notification) <br>- **OR** <br>- Microsoft Authenticator Lite (Push Notification) <br>- **OR** <br>- Phone (SMS) | No | Memorized secret <br>**AND**<br> Single-factor out-of-band |
+| Password <br> **AND** <br>- OATH hardware tokens (preview) <br>- **OR**<br>- Microsoft Authenticator app (OTP)<br>- **OR**<br>- Microsoft Authenticator Lite (OTP)<br>- **OR** <br>- OATH software tokens | No | Memorized secret <br>**AND** <br>Single-factor OTP|
+| Password <br>**AND** <br>- Single-factor software certificate <br>- **OR**<br>- Microsoft Entra joined  with software TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with software TPM  <br>- **OR**<br>- Compliant mobile device | Yes<sup>1</sup> | Memorized secret <br>**AND**<br> Single-factor crypto software |
+| Password <br>**AND**<br>- Microsoft Entra joined with hardware TPM <br>- **OR**<br>- Microsoft Entra hybrid joined with hardware TPM| Yes<sup>1</sup> |  Memorized secret <br>**AND**<br>Single-factor crypto hardware |
+
+<sup>1</sup> [Protection from external phishing](../standards/memo-22-09-multi-factor-authentication.md#protection-from-external-phishing)
+
 
 ### AAL2 recommendations
 
-For AAL2, use multi-factor cryptographic hardware or software authenticators. Passwordless authentication eliminates the greatest attack surface (the password), and offers users a streamlined method to authenticate.
+For AAL2, use multi-factor cryptographic authenticator. This is phishing resistant, eliminates the greatest attack surface (the password), and offers users a streamlined method to authenticate.
 
 For guidance on selecting a passwordless authentication method, see [Plan a passwordless authentication deployment in Microsoft Entra ID](~/identity/authentication/howto-authentication-passwordless-deployment.md). See also, [Windows Hello for Business deployment guide](/windows/security/identity-protection/hello-for-business/hello-deployment-guide)
 
@@ -70,12 +70,14 @@ Government agency cryptographic authenticators are validated for FIPS 140 Level
 
 * Certificate stored in software or hardware (smartcard/security key/TPM)
 
-Microsoft Authenticator app is FIPS 140 compliant on iOS and Android. For more information on the FIPS validated cryptographic modules used by Microsoft Authenticator. See [Microsoft Authenticator app](~/identity/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-microsoft-entra-authentication)
+For Microsoft Authenticator app (iOS/Android) FIPS 140 compliance information, See [FIPS 140 compliant for Microsoft Entra authentication](~/identity/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-microsoft-entra-authentication)
 
 For OATH hardware tokens and smartcards we recommend you consult with your provider for current FIPS validation status.
 
 FIDO 2 security key providers are in various stages of FIPS certification. We recommend you review the list of [supported FIDO 2 key vendors](~/identity/authentication/concept-authentication-passwordless.md). Consult with your provider for current FIPS validation status.
 
+Platform SSO for macOS is FIPS 140 compliant. We recommend referring to the [Apple Platform Certifications](https://support.apple.com/guide/certifications/apc3a7433eb89/web). 
+
 ## Reauthentication
 
 For AAL2, the NIST requirement is reauthentication every 12 hours, regardless of user activity. Reauthentication is required after a period of inactivity of 30 minutes or longer. Because the session secret is something you have, presenting something you know, or are, is required.

docs/standards/nist-authenticator-assurance-level-3.md

@@ -30,11 +30,11 @@ Use Microsoft authentication methods to meet required NIST authenticator types.
 | Microsoft Entra authentication methods| NIST authenticator type |
 | - | -|
 | **Recommended methods**|    |
-|  Multi-factor hardware protected certificate <br> FIDO 2 security key <br> Platform SSO for macOS (Secure Enclave) <br> Windows Hello for Business with hardware TPM <br> Passkey in Microsoft Authenticator| Multi-factor cryptographic hardware |
+|  Multi-factor hardware protected certificate <br> FIDO 2 security key <br> Platform SSO for macOS (Secure Enclave) <br> Windows Hello for Business with hardware TPM <br> Passkey in Microsoft Authenticator<sup>1</sup>| Multi-factor cryptographic hardware |
 | **Additional methods**||
 |Password<br>**AND**<br>Single-factor hardware protected certificate|Memorized secret <br>**AND**<br>Single-factor cryptographic hardware|
 
-
+<sup>1</sup> Passkey in Microsoft Authenticator is overall considered partial AAL3 and can qualify as AAL3 on platforms with FIPS 140 Level 2 Overall (or higher) and FIPS 140 level 3 physical security (or higher). For additional information on FIPS 140 compliance for Microsoft Authenticator (iOS/Android) See [FIPS 140 compliant for Microsoft Entra authentication](~/identity/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-microsoft-entra-authentication)
 ### Recommendations
 
 For AAL3, we recommend using a multi-factor cryptographic hardware authenticator that provides passwordless authentication eliminating the greatest attack surface, the password.
@@ -101,7 +101,7 @@ To determine the TPMs that meet current standards, go to [NIST Computer Security
 
 Apple macOS 13 (and above) are FIPS 140 Level 2 Overall, with most devices also FIPS 140 Level 3 Physical Security. We recommend referring to the [Apple Platform Certifications](https://support.apple.com/guide/certifications/apc3a7433eb89/web). 
 
-**Passkey in Microsoft Authenticator**
+#### Passkey in Microsoft Authenticator
 
 For additional information on FIPS 140 compliance for Microsoft Authenticator (iOS/Android) See [FIPS 140 compliant for Microsoft Entra authentication](~/identity/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-microsoft-entra-authentication)