In the past year, many government and regulated industry customers have switched from Active Directory Federation Services (AD FS) to Microsoft Entra ID for a more secure authentication experience. This has led to a significant increase in phishing-resistant authentication for US government customers.
Microsoft continues to invest in enhancing the Microsoft Entra Certificate-Based Authentication (CBA). The latest enhancements include a fail-safe for Certificate Revocation List (CRL) validation and an enhanced PKI-based certificate authority (CA) store.
The CRL validation feature allows admins to strengthen security by failing CBA authentication if the issuing CA does not have a CRL configured. This helps prevent misconfigurations and improves overall security. Admins can enable or disable CRL validation based on their requirements.
The enhanced PKI-based CA store now has higher limits for the number of CAs and the size of each CA file. It supports container objects for each PKI, making it easier for admins to manage CAs. Admins can upload multiple CAs at once or individually and enable issuer hints for specific CAs.
Feedback on these enhancements is welcome as Microsoft continues to work towards general availability. Future enhancements may include the removal of limits on CRL, support for CBA on resource tenants for B2
