Managing certificates in Azure Active Directory

With certificates, administrators can transfer their networks to the cloud in a seamless and secure manner.

The migration from Active Directory (AD) to Azure Active Directory (AD) can be a challenging one, which is why administrators are looking for ways to make the migration process easier. Due to the differences between Azure AD and AD, Azure AD is not able to implement 802.1x authentication in a straightforward manner.

businessman hand working with modern technology and digital layer effect as business strategy concept-3

With several low-cost passwordless solutions available, it is fortunately possible to migrate smoothly and without any headaches.  It is not only the Azure Cloud setup that you will need, but also PKI and RADIUS, since these two are natively integrated into the Azure Cloud.  It is possible for administrators to automatically apply a certificate to all devices using IronWiFi's certificate solutions. 

With certificates, administrators can transfer their networks to the cloud in a seamless and secure manner. Due to their security, certificates are the most secure method of using 802.1x. Microsoft's IronWiFi then eliminates the need for credentials, allowing Windows environments to use a passwordless Azure implementation. Cloud-based PKIs are easier to deploy than on-prem PKIs such as AD CS, which are significantly more expensive.


How to install certificates in Azure AD

Customers of Azure can deploy certificates with onboarding software for BYODs and gateway APIs, such as SCEP, for managed devices. It seemed too difficult to program and distribute certificates to every device, so many admins have turned away from using them. Unless the devices are manually configured for certificates, that's not the case. Using gateway APIs and onboarding software, IT administrators can automatically enroll certificates, easing their workload.

Public Key Infrastructure (PKI) is needed in order to deploy certificates. Azure customers may think that Microsoft's AD CS allows them to create on-premises PKIs with no problem. However, on-premise PKIs are labor-intensive, expensive, and take a long time to set up. The costs of implementing Azure include hardware and software, licensing fees, infrastructure, replacement and more. Additionally, on-premise AD CS PKIs requires a team of professionals to manage, requiring Azure enterprises to train their IT departments or hire new workers.

With a managed PKI service, you will not have to worry about one or more of these things. The managed PKI service can be configured within hours, has zero infrastructure costs since it is all done in the cloud, and costs a fraction of what on-premises PKIs do. A large team of experts is not needed; businesses only require one part-time PKI manager to manage the process. One of the benefits of IronWiFi's cloud PKI solution is that it is an all-in-one solution that doesn't require forklift upgrades to be implemented.


business documents on office table with smart phone and digital tablet and stylus and two colleagues discussing data in the background


Azure Active Directory Certificates


It's easier to configure and manage certificate templates with IronWiFi, as our GUI interface is more simplified than AD CS. Default certificates are not duplicated, and there are fewer steps involved. Create network groups based on network access and security permissions and configure templates for each group to increase security measures.


RADIUS servers have access to the certificate revocation list (CRL), which displays all the revoked certificates. So the RADIUS server stays up-to-date, and admins can download this list periodically via IronWiFi. The network administrator can easily revoke a certificate and put the device's info on a list and deny it access to the internet even if the device is stolen and the certificate compromised. As a first-in-industry technology, IronWiFi's Dynamic RADIUS technology can talk with your IDP to change policies for users depending on your needs without revocation or re-issuance of certificates, increasing your network's security.


Azure AD administrators can use IronWiFi to build a SCEP gateway for certificate enrollment and policy configuration. By configuring a SCEP gateway instead of manually configuring every single device or leaving it up to the end user, administrators can configure managed devices to self-configure for certificate enrollment instead of wasting time configuring them individually.


Azure Active Directory is the "Connector" that connects your on-premise Active Directory (using LDAP) with Azure. Due to the fact that Active Directory doesn't have to be eliminated, you can continue to support LDAP authentication with your existing applications (like Wi-Fi and VPN). When communicating with AD using LDAP, many RADIUS servers support Identity Lookup.

However, we have seen in the field a common desire to be able to perform real-time policy enforcement (similar to Identity Lookup) on an all-cloud infrastructure. Identity Lookup could not be implemented historically with CloudRADIUS servers, but today it works much better. IronWiFi provides you with all the benefits of the LDAP protocol with CloudRADIUS (real-time policy enforcement, Wi-Fi and VPN authentication support) and only requires an Azure directory, allowing you to reduce costs and get rid of your on-premise servers.

logo_retina2_optimal (1)-1

Using Azure AD with CloudRADIUS and IronWiFi

Consider IronWiFi's CloudRADIUS instead of trying to deploy an on-premise PKI because it already comes with a managed cloud PKI and authenticates with EAP-TLS.  Having every device manually configured is tedious for the IT department and dangerous if left to the user. Set up auto-enrollment for BYODs and managed devices instead of using IronWiFi's software to simplify device onboarding.

Rather than spending hundreds of thousands on an on-premise PKI, you can quickly and easily integrate IronWiFi managed Cloud PKI and CloudRADIUS.



Similar posts