Microsoft 365 Certificate-Based Authentication

6 February 2026

Cohesity supports Certificate-Based Authentication (CBA) when registering Microsoft 365 applications. This feature allows you to authenticate with an X.509 certificate and provides phishing resistant authentication.

This is a Controlled Availability feature. Contact your Cohesity account team to enable the feature.

Prerequisites

  • For Cohesity to automatically rotate certificates, the applications must be self‑owned and assigned the Application.ReadWrite.OwnedBy permission. For more details, see Microsoft Graph permissions reference.

Considerations

  • An error may occur if you select a certificate that has not been uploaded to the app in Azure.

  • Certificates generated by Cohesity have one year of expiry. By default, Cohesity attempts to rotate the certificates 60 days before the expiry and displays alerts/warnings 45 days before the expiry.

  • When importing custom certificates, the certificates must be uploaded on the app before clicking Register in the UI, which will otherwise cause the registration to fail.

  • When migrating apps to CBA using manual registration, the following error may occur: "Insufficient privileges to complete the operation". Ensure that the app being migrated includes Application.ReadWrite.OwnedBy permission. The app being migrated must be an owner of itself.

  • The certificate display name can be up to 32 characters long, and the maximum permitted validity is 397 days.

Migrate Existing Apps to Certificate-Based Authentication

This is a Controlled Availability feature. Contact your Cohesity account team to enable the feature.

You can migrate your existing apps from the app-secret-based authentication to certificate-based authentication (CBA). Once the authentication is changed to CBA, you cannot revert it to app-secret–based authentication. For more information, see Microsoft Entra Certificate-Based Authentication.

  1. In Cloud Protection Service, navigate to Sources.

  2. On the Sources page, click the actions menu next to the required registered Microsoft 365 domain and then click Edit.

  3. On the Register Microsoft 365 Source page, under the Authentication Options section, click Certificate.
    You can use either express or manual method.

  4. For express method, do the following:

    1. Click Migrate existing apps.

    2. In the Add Azure Application form, copy the device code and click the Microsoft Azure App link to open the Microsoft Azure App authorization service in a new tab.

    3. In the Microsoft Azure App authorization service, paste the copied code and click Next.

    4. Log in to Microsoft Azure, enter the Username and Password of your Microsoft 365 account and click Sign in.

      Ensure that your Microsoft 365 account has global administrator access.

    5. Click Continue.

    6. Wait for Microsoft Azure Authorization to complete and then click Update.
      With this method, Cohesity automatically creates an Azure app, generates a certificate, uploads the certificate to the Azure app, and assign that Azure app to your registration.

  5. For manual method, do the following:

    1. In the Azure application section, the App ID is automatically populated. If required, you can enter the App ID of a different Azure app to use for this registration. From the Associated Certificate drop-down list, select the required certificate.

      Ensure that the associated certificate is uploaded to the Azure app in your Azure portal.

      You can generate certificates within Cohesity and then use them for registration. Alternatively, you can import certificate into Cohesity, and then map it to the required Azure app. For more information on certificates, see Certificates.

    2. Click Update.