Download Root & Intermediate CA Certificate

To configure a trusted CA in Azure, upload any applicable root and intermediate certificates for the CA issuing the user certificates.

Install Azure AD PowerShell Module

Install Azure AD PowerShell Module 2.0.0.33 or higher for use configuring the Azure AD trusted CA.

1. Run Windows PowerShell as Administrator
2. Run the following command: Install-Module -Name AzureAD
3. Accept any prompts to install
4. Review the command output that displays:
   • If a success message displays, proceed to the next step.
   • If an error message displays, troubleshoot before proceeding.

Configure Azure AD Trusted CA

After installing PowerShell, use it to connect with Azure AD and configure a trusted CA. Then, validate the CA’s configuration.

1. Run Windows PowerShell as Administrator
2. Connect with Azure AD: Connect-Azure AD
3. Once connected, enter global admin credentials to authenticate.
4. Populate certificate variables in PowerShell: $cert=Get-Content -Encoding byte "[LOCATION OF THE CER FILE]" Note: If including one or more intermediate CAs in the certificate path, then add more than one trusted CA into Azure
5. Create the AzureAD CA variable: $new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation $new_ca.AuthorityType=0 (1 for Intermediate CA) $new_ca.TrustedCertificate=$cert
6. Configure an Azure accessible CRL endpoint: $new_ca.crlDistributionPoint="<CRL Distribution URL>" Note: If the CRL is not accessible or certificate is revoked, authentication falls back to standard flow
7. Create new AzureAD Trusted CA object in Azure: New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
8. Validate Trusted CA object’s creation: Get-AzureADTrustedCertificateAuthority

Configure the Certificate Template in AirWatch

After configuring the trusted CA in PowerShell, configure a template that requests client certificates in the AirWatch console.

Certificates must contain the Office 365 user principal name (UPN) to map correctly to devices. Add the Office 365 UPN as a subject alternative name (SAN) value in either the UPN or email (RFC822) field.

Create an Exchange ActiveSync Profile in AirWatch

After creating the certificate template in the AirWatch console, create a device profile that provisions user certificates to enrolled devices.

1. Create a new device profile (in this case iOS).
2. Add a credentials payload and associate the appropriate certificate request template.
3. Use lookup values, where applicable, to configure an Exchange ActiveSync payload for Office 365:
   • Exchange ActiveSync Host: office365.com
   • Domain: User’s email domain in Office 365
   • Username: User’s Office 365 account (usually maps to user’s email address)
   • E-mail Address: User’s email address
   • Password: {Empty field}
   • Payload Certificate: Choose the certificate payload that matches what was configured in step 2.

Create Authentication Policies for Fallback Flow

In Azure, certificates created in a trusted CA, are Optional (back to IIS terminology). This means that authentication does not solely rely on certificates. In lieu of a certificate, Azure falls back to basic authentication. In turn, ActiveSync traffic falls back to the default WS-Federation active flow.

To make sure only devices with valid certificates access Exchange Online, create policies to block off authentication via basic credentials. In the Identity Manager admin catalog, navigate to the Office 365 application. Then, from the access policies menu, create policies to either block all or only allow a subset of users/clients to authenticate with basic credentials.