Update 6/6/2017: We updated this post to reflect availability for China plans.
On-premises Exchange environments support the ability for certain mobile apps to utilize certificate-based authentication (CBA). Today, we are pleased to announce that CBA is available for customers using Office 365 Enterprise, Business, Education, Government, and China plans. This does not include Office 365 Defense. It will be available for Office 365 Defense and other Office 365 plans at a later date. This feature is available in Outlook for iOS, Outlook for Android and the Exchange ActiveSync (EAS) protocol.
What is certificate-based authentication?
CBA allows users to authenticate using a client certificate. The certificate is used in place of the user entering credentials into the device.
Why would I want certificate-based authentication?
By utilizing certificate-based authentication, administrators can allow their users to access resources without the need to enter credentials.
The following are required to use CBA:
- Access to a certification authority (CA) to issue client certificates.
- Each CA must have a certificate revocation list (CRL) that can be referenced via an Internet-facing URL.
- Client certificates must be provisioned on mobile devices, typically done using MDM.
- For EAS clients, the RFC822 Name OR Principal Name value in the certificate’s Subject Alternative Name field must have the user’s email address.
Using certificate-based authentication
Configuration in Azure Active Directory is required to use certificate-based authentication. All certificate authorities (and their associated CRL URLs) must be uploaded to Azure Active Directory. More information on getting started with CBA can be found in Get started with certificate-based authentication.
Certificate-based authentication in Outlook for iOS/Android
Currently, certificate-based authentication is only supported in Outlook for Android on Android Lollipop 5.0 and above. Support in Outlook for iOS is coming soon.
A federation server that is configured to perform certificate-based user authentication is also required when using Outlook for Android.
Certificate-based authentication in Exchange ActiveSync applications
Certain EAS applications may support certificate-based authentication. To determine if your application supports CBA, contact the application developer. Preview documentation on how EAS applications can support CBA can be found in Microsoft Exchange protocol documentation.