Android 上 Azure Active Directory 基于证书的身份验证Azure Active Directory certificate-based authentication on Android

连接到以下项时,Android 设备可以通过基于证书的身份验证 (CBA) 在其设备上使用客户端证书向 Azure Active Directory 进行身份验证:Android devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:

  • Office 移动应用程序,例如 Microsoft Outlook 和 Microsoft WordOffice mobile applications such as Microsoft Outlook and Microsoft Word
  • Exchange ActiveSync (EAS) 客户端Exchange ActiveSync (EAS) clients

如果配置了此功能,就无需在移动设备上的某些邮件和 Microsoft Office 应用程序中输入用户名和密码组合。Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

本主题提供了在 iOS(Android) 设备上为 Office 365 企业版、商业版、教育版和中国版租户的用户配置 CBA 时的要求和支持的方案。This topic provides you with the requirements and the supported scenarios for configuring CBA on an iOS(Android) device for users of tenants in Office 365 Enterprise, Business, Education, and China.

Microsoft 移动应用程序支持Microsoft mobile applications support

应用Apps 支持Support
Azure 信息保护应用Azure Information Protection app 对号,表示支持此应用程序
Intune 公司门户Intune Company Portal 对号,表示支持此应用程序
Microsoft TeamsMicrosoft Teams 对号,表示支持此应用程序
OneNoteOneNote 对号,表示支持此应用程序
OneDriveOneDrive 对号,表示支持此应用程序
OutlookOutlook 对号,表示支持此应用程序
Power BIPower BI 对号,表示支持此应用程序
Skype for BusinessSkype for Business 对号,表示支持此应用程序
Word/Excel/PowerPointWord / Excel / PowerPoint 对号,表示支持此应用程序
YammerYammer 对号,表示支持此应用程序

实现要求Implementation requirements

设备 OS 版本必须为 Android 5.0 (Lollipop) 及更高版本。The device OS version must be Android 5.0 (Lollipop) and above.

必须配置联合服务器。A federation server must be configured.

若要让 Azure Active Directory 吊销客户端证书,ADFS 令牌必须具有以下声明:For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:

  • http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>(客户端证书的序列号)http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber> (The serial number of the client certificate)
  • http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>(客户端证书颁发者的字符串)http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer> (The string for the issuer of the client certificate)

如果 ADFS 令牌(或任何其他 SAML 令牌)具有这些声明,Azure Active Directory 会将这些声明添加到刷新令牌中。Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other SAML token). 当需要验证刷新令牌时,此信息可用于检查吊销。When the refresh token needs to be validated, this information is used to check the revocation.

最佳做法是,应该使用以下信息更新组织的 ADFS 错误页:As a best practice, you should update your organization's ADFS error pages with the following information:

  • 在 Android 设备上安装 Microsoft Authenticator 的要求。The requirement for installing the Microsoft Authenticator on Android.
  • 有关如何获取用户证书的说明。Instructions on how to get a user certificate.

有关详细信息,请参阅自定义 AD FS 登录页For more information, see Customizing the AD FS Sign-in Pages.

某些 Office 应用(启用了新式身份验证)在请求中向 Azure AD 发送“prompt=login”。Some Office apps (with modern authentication enabled) send ‘prompt=login’ to Azure AD in their request. 默认情况下,Azure AD 会将向 ADFS 发出的请求中的“prompt=login”转换为“wauth=usernamepassworduri”(要求 ADFS 执行 U/P 身份验证)和“wfresh=0”(要求 ADFS 忽略 SSO 状态并执行全新的身份验证)。By default, Azure AD translates ‘prompt=login’ in the request to ADFS as ‘wauth=usernamepassworduri’ (asks ADFS to do U/P Auth) and ‘wfresh=0’ (asks ADFS to ignore SSO state and do a fresh authentication). 如果想要为这些应用启用基于证书的身份验证,需要修改默认 Azure AD 行为。If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. 将联盟域设置中的“PromptLoginBehavior”设置为“已禁用”。Set the ‘PromptLoginBehavior’ in your federated domain settings to ‘Disabled‘. 可使用 MSOLDomainFederationSettings cmdlet 执行此任务:You can use the MSOLDomainFederationSettings cmdlet to perform this task:

Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled

Exchange ActiveSync 客户端支持Exchange ActiveSync clients support

支持 Android 5.0 (Lollipop) 或更高版本上的某些 Exchange ActiveSync 应用程序。Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported. 若要确定电子邮件应用程序是否支持此功能,请联系应用程序开发人员。To determine if your email application does support this feature, contact your application developer.

后续步骤Next steps

如果想要在环境中配置基于证书的身份验证,请参阅 Android 上基于证书的身份验证入门了解相关说明。If you want to configure certificate-based authentication in your environment, see Get started with certificate-based authentication on Android for instructions.