Back to Blog
IdentityMay 18, 20268 min read

Hybrid Identity and PKI: Syncing On-Premises CA Trust to Azure AD

IP
InsecurePlanet Research
PKI & ADCS Security
Executive Summary

Hybrid Azure AD environments that use on-premises ADCS for certificate issuance must explicitly sync CA trust to Azure AD for certificate-based authentication to work. This article covers the configuration steps, CRL accessibility requirements, and the most common failure modes that break hybrid CBA.

How Azure AD Validates On-Premises Certificates

When a user authenticates to Azure AD with a certificate issued by an on-premises CA, Azure AD must validate the certificate chain against its trusted CA store. Unlike on-premises Kerberos, Azure AD does not have access to your internal PKI infrastructure — it can only validate against CAs you have explicitly uploaded.

Azure AD also performs CRL checking against the CDP URLs embedded in the certificate. These URLs must be publicly accessible (or accessible from Azure AD's validation infrastructure) — internal-only CDP URLs will cause certificate validation to fail.

Uploading CA Certificates to Azure AD

Upload the full certificate chain for each CA that issues certificates used in hybrid CBA. This includes the Root CA certificate and all Intermediate/Issuing CA certificates. The upload must be done via the Azure Portal or Microsoft Graph API — it is not synced automatically by Azure AD Connect.

  • Navigate to Azure Portal → Microsoft Entra ID → Security → Certificate Authorities.
  • Upload Root CA certificate first, then Issuing CA certificates.
  • Set the "Is Root Authority" flag correctly for each certificate.
  • Verify the uploaded chain by checking the "Issuer" field of each certificate matches an uploaded CA.

CRL Accessibility Requirements

Azure AD's certificate validation infrastructure must be able to reach the CDP URLs in your certificates. For on-premises ADCS, this typically means publishing CRLs to a publicly accessible HTTP endpoint — not just an internal LDAP or file share path.

Microsoft publishes the IP ranges used by Azure AD's validation infrastructure in the Azure IP Ranges and Service Tags file. Configure your firewall to allow HTTP access to your CDP endpoint from these ranges.

Why It Matters

Hybrid CBA failures are silent and confusing — users receive generic authentication errors with no indication that the root cause is a missing CA certificate or inaccessible CRL. Getting the PKI trust configuration right before the August 2026 enforcement deadline requires understanding these requirements now.

Recommended Actions
  1. 1Audit your Azure AD Trusted Certificate Authorities store against all on-premises CAs.
  2. 2Verify CDP URLs in your certificates are publicly accessible from Azure AD IP ranges.
  3. 3Test hybrid CBA with a non-privileged test account before relying on it for production authentication.
  4. 4Set up monitoring for CRL publication failures — a stale CRL will break Azure AD certificate validation.
InsecurePlanet Take

Hybrid PKI configuration is one of the most common sources of Azure AD authentication failures we see in assessments. The requirements are well-documented but easy to miss, especially for organizations that set up CBA incrementally over time. Audit the full chain — CA upload, CRL accessibility, and certificate template EKUs — before the August enforcement deadline.

IdentityHybridAzure ADPKI
Sources & References

InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.

Security Brief

Get articles like this weekly

PKI advisories, ADCS updates, CISA KEV coverage, and Patch Tuesday analysis — every week.

Subscribe free
Free Resource

ADCS Security Checklist

24-page checklist covering ESC1–ESC13, CA hardening, CDP/OCSP, and enrollment endpoint security.

Download free
Advisory Services

Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.

Service Updates Coming Soon