Microsoft 365 Certificate Based Authentication

Cohesity supports Certificate-Based Authentication (CBA) when registering Microsoft 365 applications. This feature allows you to authenticate with an X.509 certificate against the Public Key Infrastructure (PKI) and provides phishing resistant authentication.

This is a Controlled Availability feature. Contact your Cohesity account team to enable the feature.

Prerequisites

• Ensure that you create a certificate via API and upload it to Azure. Contact your Cohesity account team to generate and download certificates via API.

• Registering Microsoft 365 applications using Certificate-Based Authentication (CBA) requires additional permissions. To upload certificates to Azure, the apps require self-ownership. The Application.ReadWrite.OwnedBy permission is required for an app to set itself as an owner. For more details, see Microsoft Graph permissions reference.

Considerations

• An error may occur if you select a certificate that has not been uploaded to the app in Azure.

• Certificates generated by Cohesity have one year of expiry. By default, Cohesity attempts to rotate the certificates 60 days before the expiry and displays alerts/warnings 45 days before the expiry. These timelines are configurable.

• When importing custom certificates, the certificates must be uploaded (via express or manual registration) on the app before clicking Register in the UI, which will otherwise cause the registration to fail.

• When migrating apps to CBA using manual registration, the following error may occur: "Insufficient privileges to complete the operation". Ensure that the app being migrated includes OwnedBy permission. The app being migrated must be an owner of itself.

Create Cohesity Managed Certificate

To create a Cohesity managed certificate:

1. Navigate to Sources and select Register > Microsoft 365.

2. Choose the Microsoft 365 Applications to discover.

3. In the Account Credentials section, enter the Microsoft 365 Username and Password.

4. Select the Authentication Option as Certificate to authenticate applications using Microsoft Entra Certificate-Based Authentication (CBA). For more information, see Microsoft Entra Certificate-Based Authentication.

5. Enter the number of Azure applications you want to create based on your requirements and click Create.

   By default, one Azure application will be created. To better manage Microsoft 365 throttling, Cohesity recommends at least two Azure apps.

6. In the Add Azure Application form, copy the device code and click the Microsoft Azure App link to open the Microsoft Azure App authorization service in a new tab.

   If you prefer to create your Azure apps manually, see Manual Registration for Microsoft 365 Sources.

7. Paste the copied code in the Microsoft Azure App authorization service and click Next.

8. Log in to Microsoft Azure, enter the Username and Password of your Microsoft 365 account and click Sign in.

   Ensure that your Microsoft 365 account has global administrator access.

9. Follow the instructions to complete the authorization on the Microsoft Azure portal. Then, wait for Microsoft Azure Authorization to complete. During this process, the Cohesity managed certificates will be created and then the Azure apps will be created.

10. Once completed, the App IDs and the Associated Certificates will be listed in the Azure Applications section.

11. Click Register.

The certificates created will be available in the Certificate Store.

Contact your Cohesity account team to generate and download certificates via API.

Migrate Existing Apps to Certificate-Based Authentication

To migrate your existing apps from App Secret-based authentication to Certificate-based authentication:

1. Navigate to Sources and select Register > Microsoft 365.

2. Choose the Microsoft 365 Applications to discover.

3. In the Account Credentials section, enter the Microsoft 365 Username and Password.

4. Adding multiple Microsoft 365 service accounts using the Additional Service Accounts section requires OAuth disabled, as Microsoft has enabled OAuth by default, ignore adding multiple Microsoft 365 service accounts.

5. Select the Authentication Option as Certificate to authenticate applications using Microsoft Entra Certificate-Based Authentication (CBA). For more information, see Microsoft Entra Certificate-Based Authentication.

6. Enter the number of Azure applications you want to create based on your requirements and click Create.

   By default, two Azure applications will be created. To better manage Microsoft 365 throttling, Cohesity recommends at least two Azure apps.

7. Click Migrate Existing Apps. You can also attach certificates directly into your Azure app in the Azure portal, but this can take much longer time.

8. In the Register Microsoft 365 Source page, copy the device code and click the Microsoft Azure App link to open the Microsoft Azure App authorization service in a new tab.

9. Paste the copied code in the Microsoft Azure App authorization service and click Next.

10. Log in to Microsoft Azure, enter the Username and Password of your Microsoft 365 account and click Sign in.

    Ensure that your Microsoft 365 account has global administrator access.

11. Follow the instructions to complete the authorization on the Microsoft Azure portal. Then, wait for Microsoft Azure Authorization to complete. During this process, the Cohesity managed certificates will be created and then the Azure apps will be created.

12. Once completed, the App IDs and the Associated Certificates will be listed in the Azure Applications section.

13. Click Register.
    The source authentication method will be migrated from App Secret-based to Certificate-based authentication.

For more information on certificates, see Certificates.

This is a Controlled Availability feature. Contact your Cohesity account team to enable the feature.