[Technical How-To] Establish Office 365 Certificate Authentication in VMware Workspace ONE

Jan 9, 2018

Author: Shardul Navare

Shardul is Senior Solutions Architect for VMware End-User Computing (EUC).

Today’s post explains how to establish certificate-based authentication for Microsoft Office 365 in VMware Identity Manager.

App Access & Management with VMware Workspace ONE

VMware Workspace ONE unifies VMware Identity Manager access control and application management and VMware AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device.

Office 365 Certificate Authentication with Identity Manager Overview

Certificate-based authentication for Microsoft Office 365 provides employees seamless access to email and other resources. Relying on client certificates simplifies authentication by eliminating the need for employee username and password combinations. Pair certificate-based authentication for Office 365 with VMware Workspace ONE to streamline access for Windows, Android and iOS devices.

Benefits of Certificate-Based Authentication

Eliminate Brute-Force Threats: Certificate authentication replaces basic and NT LAN Manager (NTLM) authentication, eliminating the threat of password hack attacks.
Ensure Device Compliance: Only compliant devices receive valid certificates. Therefore, requiring a valid certificate ensures the requesting device enrolled with Workspace ONE, and meets the defined corporate policies.
Manage the Certificate Lifecycle: Automate and control the request, revoke and renewal phases of the client certificate lifecycle.
Integrate with Public Key Infrastructure (PKI) & Managed PKI Infrastructure: Workspace ONE uses a dedicated certificate authority (CA) and certificate to avoid conflicts with an organization’s other certificate deployments.

Office 365 Certificate Authentication with Identity Manager Configuration

Before You Begin

Office 365 domain federated with Workspace ONE
AirWatch tenant integrated with PKI/MPKI infrastructure
Access to root and intermediate Certificates (if applicable) for the issuing CA
Internet-facing URLs where the Certificate Revocation Lists (CRLs) reside
Global admin access to O365 tenant
Windows PowerShell 2.0 or higher
Azure AD Module for PowerShell 2.0.0.33 or higher
Exchange ActiveSync client that supports certificate-based authentication

Configure Office 365 Certificate Authentication with Identity Manager

The video at the top of this post provides a how-to demonstration of Office 365 certificate authentication with Identity Manager. For step-by-step instructions of the processes covered in the video, expand the drop-down menus.

Step 1: Download the Root & Intermediate CA Certificate

Download Root & Intermediate CA Certificate

To configure a trusted CA in Azure, upload any applicable root and intermediate certificates for the CA issuing the user certificates.

Step 2: Install AzureAD PowerShell Module

Install Azure AD PowerShell Module

Install Azure AD PowerShell Module 2.0.0.33 or higher for use configuring the Azure AD trusted CA.

Run Windows PowerShell as Administrator
Run the following command: Install-Module -Name AzureAD
Accept any prompts to install
Review the command output that displays:
- If a success message displays, proceed to the next step.
- If an error message displays, troubleshoot before proceeding.

Step 3: Configure Azure AD Trusted CA

Configure Azure AD Trusted CA

After installing PowerShell, use it to connect with Azure AD and configure a trusted CA. Then, validate the CA’s configuration.

Run Windows PowerShell as Administrator
Connect with Azure AD: Connect-Azure AD
Once connected, enter global admin credentials to authenticate.
Populate certificate variables in PowerShell: $cert=Get-Content -Encoding byte "[LOCATION OF THE CER FILE]" Note: If including one or more intermediate CAs in the certificate path, then add more than one trusted CA into Azure
Create the AzureAD CA variable: $new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation $new_ca.AuthorityType=0 (1 for Intermediate CA) $new_ca.TrustedCertificate=$cert
Configure an Azure accessible CRL endpoint: $new_ca.crlDistributionPoint="<CRL Distribution URL>" Note: If the CRL is not accessible or certificate is revoked, authentication falls back to standard flow
Create new AzureAD Trusted CA object in Azure: New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
Validate Trusted CA object’s creation: Get-AzureADTrustedCertificateAuthority

Step 4: Configure the Certificate Template in AirWatch

Configure the Certificate Template in AirWatch

After configuring the trusted CA in PowerShell, configure a template that requests client certificates in the AirWatch console.

Certificates must contain the Office 365 user principal name (UPN) to map correctly to devices. Add the Office 365 UPN as a subject alternative name (SAN) value in either the UPN or email (RFC822) field.

Step 5: Create an Exchange ActiveSync Profile in AirWatch

Create an Exchange ActiveSync Profile in AirWatch

After creating the certificate template in the AirWatch console, create a device profile that provisions user certificates to enrolled devices.

Create a new device profile (in this case iOS).
Add a credentials payload and associate the appropriate certificate request template.
Use lookup values, where applicable, to configure an Exchange ActiveSync payload for Office 365:
- Exchange ActiveSync Host: office365.com
- Domain: User’s email domain in Office 365
- Username: User’s Office 365 account (usually maps to user’s email address)
- E-mail Address: User’s email address
- Password: {Empty field}
- Payload Certificate: Choose the certificate payload that matches what was configured in step 2.

Step 6: Create Authentication Policies for Fallback Flow

Create Authentication Policies for Fallback Flow

In Azure, certificates created in a trusted CA, are Optional (back to IIS terminology). This means that authentication does not solely rely on certificates. In lieu of a certificate, Azure falls back to basic authentication. In turn, ActiveSync traffic falls back to the default WS-Federation active flow.

To make sure only devices with valid certificates access Exchange Online, create policies to block off authentication via basic credentials. In the Identity Manager admin catalog, navigate to the Office 365 application. Then, from the access policies menu, create policies to either block all or only allow a subset of users/clients to authenticate with basic credentials.