Microsoft 365 Certificate-Based Authentication

Cohesity supports Certificate-Based Authentication (CBA) when registering Microsoft 365 applications. This feature allows you to authenticate with an X.509 certificate and provides phishing resistant authentication.

Prerequisites

• For Cohesity to automatically rotate certificates, the applications must be self‑owned and assigned the Application.ReadWrite.OwnedBy permission. For more details, see Microsoft Graph permissions reference.

Considerations

• An error may occur during M365 source registration or migration if the certificate selected on the source registration page is not uploaded to the application in the Azure portal.

• Certificates generated by Cohesity have one year of expiry. By default, Cohesity attempts to rotate the certificates 60 days before the expiry and displays alerts/warnings 45 days before the expiry.

• The certificate display name can be up to 32 characters long, and the maximum permitted validity is 397 days.

• When importing custom certificates, the certificates must be uploaded on the app before clicking Register in the UI, which will otherwise cause the registration to fail.

Migrate Existing Apps to Certificate-Based Authentication

You can migrate your existing apps from the app-secret-based authentication to certificate-based authentication (CBA). Once the authentication is changed to CBA, you cannot revert it to app-secret–based authentication. For more information, see Microsoft Entra Certificate-Based Authentication.

To migrate existing apps from app secret-based authentication to certificate-based authentication:

1. In Cloud Protection Service, navigate to Sources.

2. On the Sources page, click the actions menu next to the required registered Microsoft 365 domain and then click Edit.

3. On the Register Microsoft 365 Source page, under the Authentication Options section, click Certificate. You can perform this task using either the express method or the manual method, as follows:
   

   For express migration method, do the following:
   

   1. Click Migrate existing apps.

   2. In the Migrate Azure Application form, copy the device code and click the Microsoft Azure App link to open the Microsoft Azure App authorization service in a new tab.

   3. In the Microsoft Azure App authorization service, paste the copied code and click Next.

   4. Log in to Microsoft Azure, enter the Username and Password of your Microsoft 365 account and click Sign in.
      

      Ensure that your Microsoft 365 account has global administrator access.
      

   5. Click Continue.

   6. Wait for Microsoft Azure Authorization to complete and then click Update.
      

      With the express migration method, Cohesity automatically:
      

      • Generates a certificate.

      • Uploads the generated certificate to all the Azure application used for Microsoft 365 registration.
        

      • Populates the generated certificate on the Register Microsoft 365 Source page.

        The express migration method generates a single certificate that is mapped to all Azure applications used for Microsoft 365 registration. To use different certificates for individual applications, use the manual migration method.

   For the manual migration method, do the following:

   1. In the Azure application section, the App ID is automatically populated. If required, you can enter the App ID of a different Azure app to use for this registration. From the Associated Certificate drop-down list, select the required certificate.
      

      Ensure that the associated certificate is uploaded to the Azure app in your Azure portal.
      

      You can generate certificates within Cohesity and then use them for registration. Alternatively, you can import certificate into Cohesity, and then map it to the required Azure app. For more information on certificates, see Certificates.

   2. Click Update.