Skip to main content

Certificates with Microsoft Azure

How can I import a root certificate into Microsoft Azure AD?

The administration of the authentication can be done in the Microsoft Entra Admin Center. This can be reached, for example, at

In this Admin Center a new root certificate can be uploaded under the menu item Security / Certificate Authorities:

certificate authorities in Microsoft Entra admin center.

After clicking Upload the file can be selected. When asked if it is a root certificate, "Yes" must be selected.

Upload root certificate


If the previously created file is not displayed or accepted, the file extension may need to be renamed to .cer.

Now the new root certificate is displayed in the list and can be configured for authentication.

How do I enable certificate-based authentication for Microsoft Azure AD?

Once a root certificate has been uploaded to the Microsoft Entra admin center, it can also be enabled for authentication. This can be done under the Security / Authentication Methods menu item:

Authentication Methods Configuration.

There you can and under policies set the certificate based authentication:

Configuration of certificate based authentication

In the first tab Activate and Target you can configure for which users or groups the certificate based authentication should be activated. In the second tab Configure the previously uploaded certificate or its issuer can be selected under Add rule:

Add a rule

In the dropdown menu the issuer can be selected:

Select certificate issuer

Before saving, check that the following two values are present in the user attributes:

  • Certificate field: PrincipalName - User attribute: onPremiseUserPrincipalName.
  • certificate field:** RFC822Name - user attribute:** userPrincipalName.

Now it can be saved. This successfully completes the process in the Microsoft Entra admin center.