Azure Active Directory 中基于证书的身份验证入门Get started with certificate-based authentication in Azure Active Directory

如果使用基于证书的身份验证,在 Windows、Android 或 iOS 设备上将 Exchange Online 帐户连接到以下对象时,由 Azure Active Directory 使用客户端证书对你进行身份验证:Certificate-based authentication enables you to be authenticated by Azure Active Directory with a client certificate on a Windows, Android, or iOS device when connecting your Exchange online account to:

  • Microsoft 移动应用程序,例如 Microsoft Outlook 和 Microsoft WordMicrosoft mobile applications such as Microsoft Outlook and Microsoft Word
  • Exchange ActiveSync (EAS) 客户端Exchange ActiveSync (EAS) clients

如果配置了此功能,就无需在移动设备上的某些邮件和 Microsoft Office 应用程序中输入用户名和密码组合。Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

本主题:This topic:

  • 提供的步骤介绍如何为 Office 365 企业版、商业版和教育版中租户的用户配置并使用基于证书的身份验证。Provides you with the steps to configure and utilize certificate-based authentication for users of tenants in Office 365 Enterprise, Business and Education. 此功能在 Office 365 中国中以预览版提供。This feature is available in preview in Office 365 China.
  • 假设已配置公钥基础结构 (PKI)AD FSAssumes that you already have a public key infrastructure (PKI) and AD FS configured.


若要配置基于证书的身份验证,以下语句必须为真:To configure certificate-based authentication, the following statements must be true:

  • 仅浏览器应用程序的联合环境、使用新式身份验证 (ADAL) 的本机客户端或 MSAL 库支持基于证书的身份验证 (CBA)。Certificate-based authentication (CBA) is only supported for Federated environments for browser applications, native clients using modern authentication (ADAL), or MSAL libraries. 用于 Exchange Online (EXO) 的 Exchange Active Sync (EAS) 除外,它可用于联合帐户和托管帐户。The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts.
  • 必须在 Azure Active Directory 中配置根证书颁发机构和任何中间证书颁发机构。The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
  • 每个证书颁发机构必须有一个可通过面向 Internet 的 URL 引用的证书吊销列表 (CRL)。Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.
  • 必须已在 Azure Active Directory 中至少配置一个证书颁发机构。You must have at least one certificate authority configured in Azure Active Directory. 可以在 配置证书颁发机构 部分查找相关步骤。You can find related steps in the Configure the certificate authorities section.
  • 对于 Exchange ActiveSync 客户端,客户端证书的“使用者可选名称”字段的主体名称或 RFC822 名称值必须为 Exchange Online 中用户的可路由电子邮件地址。For Exchange ActiveSync clients, the client certificate must have the user's routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory 会将 RFC822 值映射到目录中的“代理地址”属性。Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.
  • 客户端设备必须能够访问至少一个颁发客户端证书的证书颁发机构。Your client device must have access to at least one certificate authority that issues client certificates.
  • 必须已向客户端颁发用于客户端身份验证的客户端证书。A client certificate for client authentication must have been issued to your client.


Azure Active Directory 成功下载和缓存的 CRL 的最大大小为 20MB,下载 CRL 所需的时间不得超过 10 秒。The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds. 如果 Azure Active Directory 无法下载 CRL,则使用相应 CA 颁发的证书进行的基于证书的身份验证将失败。If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. 确保 CRL 文件符合大小限制的最佳做法是将证书生存期保持在合理的限制内,并清理过期的证书。Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.

步骤 1:选择设备平台Step 1: Select your device platform

第一步,用户需针对所关注的设备平台查看以下内容:As a first step, for the device platform you care about, you need to review the following:

  • Office 移动应用程序支持The Office mobile applications support
  • 特定的实现要求The specific implementation requirements

存在以下设备平台的相关信息:The related information exists for the following device platforms:

步骤 2:配置证书颁发机构Step 2: Configure the certificate authorities

若要在 Azure Active Directory 中配置证书颁发机构,请为每个证书颁发机构上传以下内容:To configure your certificate authorities in Azure Active Directory, for each certificate authority, upload the following:

  • 证书的公共部分,格式为 .cerThe public portion of the certificate, in .cer format
  • 证书吊销列表 (CRL) 所在的面向 Internet 的 URLThe internet-facing URLs where the Certificate Revocation Lists (CRLs) reside

证书颁发机构的架构如下所示:The schema for a certificate authority looks as follows:

    class TrustedCAsForPasswordlessAuth
       CertificateAuthorityInformation[] certificateAuthorities;

    class CertificateAuthorityInformation

        CertAuthorityType authorityType;
        X509Certificate trustedCertificate;
        string crlDistributionPoint;
        string deltaCrlDistributionPoint;
        string trustedIssuer;
        string trustedIssuerSKI;

    enum CertAuthorityType
        RootAuthority = 0,
        IntermediateAuthority = 1

对于此配置,可以使用 Azure Active Directory PowerShell 版本 2For the configuration, you can use the Azure Active Directory PowerShell Version 2:

  1. 使用管理员特权启动 Windows PowerShell。Start Windows PowerShell with administrator privileges.
  2. 安装 Azure AD 模块 或更高版本。Install the Azure AD module version or higher.
    Install-Module -Name AzureAD -RequiredVersion

作为第一个配置步骤,需建立与租户的连接。As a first configuration step, you need to establish a connection with your tenant. 与租户建立连接后,即可查看、添加、删除和修改目录中定义的受信任的证书颁发机构。As soon as a connection to your tenant exists, you can review, add, delete, and modify the trusted certificate authorities that are defined in your directory.


若要建立与租户的连接,请使用 Connect-AzureAD cmdlet:To establish a connection with your tenant, use the Connect-AzureAD cmdlet:

    Connect-AzureAD -AzureEnvironmentName AzureChinaCloud


若要检索目录中定义的受信任的证书颁发机构,请使用 Get-AzureADTrustedCertificateAuthority cmdlet。To retrieve the trusted certificate authorities that are defined in your directory, use the Get-AzureADTrustedCertificateAuthority cmdlet.



若要创建受信任的证书颁发机构,请使用 New-AzureADTrustedCertificateAuthority cmdlet,并将 crlDistributionPoint 属性设为正确的值:To create a trusted certificate authority, use the New-AzureADTrustedCertificateAuthority cmdlet and set the crlDistributionPoint attribute to a correct value:

    $cert=Get-Content -Encoding byte "[LOCATION OF THE CER FILE]"
    $new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
    $new_ca.crlDistributionPoint="<CRL Distribution URL>"
    New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca


若要删除受信任的证书颁发机构,请使用 Remove-AzureADTrustedCertificateAuthority cmdlet:To remove a trusted certificate authority, use the Remove-AzureADTrustedCertificateAuthority cmdlet:

    Remove-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c[2]


若要修改受信任的证书颁发机构,请使用 Set-AzureADTrustedCertificateAuthority cmdlet:To modify a trusted certificate authority, use the Set-AzureADTrustedCertificateAuthority cmdlet:

    Set-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c[0]

步骤 3:配置吊销Step 3: Configure revocation

若要吊销客户端证书,Azure Active Directory 会从作为证书颁发机构信息的一部分上传的 URL 中提取证书吊销列表 (CRL),并将其缓存。To revoke a client certificate, Azure Active Directory fetches the certificate revocation list (CRL) from the URLs uploaded as part of certificate authority information and caches it. CRL 中的上次发布时间戳(“生效日期”属性)用于确保 CRL 仍然有效。 The last publish timestamp (Effective Date property) in the CRL is used to ensure the CRL is still valid. 将定期引用 CRL,以撤销对该列表中证书的访问权限。The CRL is periodically referenced to revoke access to certificates that are a part of the list.

如果需要更即时的吊销(例如,如果用户丢失了设备),可以使用户的授权令牌失效。If a more instant revocation is required (for example, if a user loses a device), the authorization token of the user can be invalidated. 若要使授权令牌失效,请使用 Windows PowerShell 为此特定用户设置 StsRefreshTokenValidFrom 字段。To invalidate the authorization token, set the StsRefreshTokenValidFrom field for this particular user using Windows PowerShell. 必须为要撤销其访问权限的每个用户更新 StsRefreshTokenValidFrom 字段。You must update the StsRefreshTokenValidFrom field for each user you want to revoke access for.

若要确保撤销仍然有效,必须将 CRL 的 生效日期 设置为晚于 StsRefreshTokenValidFrom 所设置的值,并确保相关的证书在 CRL 中。To ensure that the revocation persists, you must set the Effective Date of the CRL to a date after the value set by StsRefreshTokenValidFrom and ensure the certificate in question is in the CRL.

以下步骤概述了通过设置 StsRefreshTokenValidFrom 字段更新授权令牌并使其失效的过程。The following steps outline the process for updating and invalidating the authorization token by setting the StsRefreshTokenValidFrom field.

若要配置吊销,请执行以下操作:To configure revocation:

  1. 使用管理员凭据连接到 MSOL 服务:Connect with admin credentials to the MSOL service:
        $msolcred = get-credential
        connect-msolservice -AzureEnvironment AzureChinaCloud -credential $msolcred
  1. 检索用户的当前 StsRefreshTokensValidFrom 值:Retrieve the current StsRefreshTokensValidFrom value for a user:
        $user = Get-MsolUser -UserPrincipalName`
  1. 将用户的新 StsRefreshTokensValidFrom 值配置为等于当前时间戳:Configure a new StsRefreshTokensValidFrom value for the user equal to the current timestamp:
        Set-MsolUser -UserPrincipalName -StsRefreshTokensValidFrom ("03/05/2016")

所设日期必须属于将来。The date you set must be in the future. 如果日期不属于将来,则不会设置 StsRefreshTokensValidFrom 属性。If the date is not in the future, the StsRefreshTokensValidFrom property is not set. 如果日期属于将来,则将 StsRefreshTokensValidFrom 设置为当前时间(而不是由 Set-MsolUser 命令指示的日期)。If the date is in the future, StsRefreshTokensValidFrom is set to the current time (not the date indicated by Set-MsolUser command).

步骤 4:测试配置Step 4: Test your configuration

测试证书Testing your certificate

作为第一个配置测试,应尝试使用 设备上的浏览器 登录 Outlook Web AccessSharePoint OnlineAs a first configuration test, you should try to sign in to Outlook Web Access or SharePoint Online using your on-device browser.

如果登录成功,则可确定:If your sign-in is successful, then you know that:

  • 已为测试设备预配用户证书The user certificate has been provisioned to your test device
  • 已正确配置 AD FSAD FS is configured correctly

测试 Office 移动应用程序Testing Office mobile applications

若要在 Office 移动应用程序上测试基于证书的身份验证,请执行以下操作:To test certificate-based authentication on your mobile Office application:

  1. 在测试设备上,安装 Office 移动应用程序(例如 OneDrive)。On your test device, install an Office mobile application (for example, OneDrive).
  2. 启动应用程序。Launch the application.
  3. 输入用户名,并选择要使用的用户证书。Enter your username, and then select the user certificate you want to use.

应可以成功登录。You should be successfully signed in.

测试 Exchange ActiveSync 客户端应用程序Testing Exchange ActiveSync client applications

若要通过基于证书的身份验证访问 Exchange ActiveSync (EAS),必须为应用程序提供包含客户端证书的 EAS 配置文件。To access Exchange ActiveSync (EAS) via certificate-based authentication, an EAS profile containing the client certificate must be available to the application.

EAS 配置文件必须包含以下信息:The EAS profile must contain the following information:

  • 用于身份验证的用户证书The user certificate to be used for authentication

  • EAS 终结点(例如 EAS endpoint (for example,

若要配置 EAS 配置文件并将其放置在设备上,可以使用移动设备管理 (MDM),例如 Intune,也可以手动将 EAS 配置文件中的证书放置在设备上。An EAS profile can be configured and placed on the device through the utilization of Mobile device management (MDM) such as Intune or by manually placing the certificate in the EAS profile on the device.

在 Android 上测试 EAS 客户端应用程序Testing EAS client applications on Android

若要测试证书身份验证,请执行以下操作:To test certificate authentication:

  1. 在应用程序中配置满足上一部分中要求的 EAS 配置文件。Configure an EAS profile in the application that satisfies the requirements in the prior section.
  2. 打开应用程序,验证邮件是否正在同步。Open the application, and verify that mail is synchronizing.

后续步骤Next steps

有关 Android 设备上基于证书的身份验证的其他信息。Additional information about certificate-based authentication on Android devices.

有关 iOS 设备上基于证书的身份验证的其他信息。Additional information about certificate-based authentication on iOS devices.