EAP-TLS with Entra overview
EAP-TLS with Entra authenticates the person. The certificate names the user, and access follows the user’s group membership in Microsoft Entra ID, resolved on every authentication. Pair it with Microsoft Intune to gate access on device compliance. It is the variant for employees on managed devices, with no passwords on the wire and no per-user accounts to maintain — just Entra groups and certificates.
At a glance
- Credential
- A certificate that names the user (user certificate)
- Identity source
- Microsoft Entra ID group membership
- Compliance
- Optional Microsoft Intune device-compliance check
- Best for
- Employees on MDM-enrolled devices; BYOD gated on compliance
- Self-service
- Central administration
- Status
- Available
How it works
Section titled “How it works”Each user’s device carries a certificate whose subject identifies the person. On authentication, EntryPoint validates the certificate against the context’s trusted CAs, reads the user from the certificate, and confirms the user’s membership of the mapped Microsoft Entra group. If the membership matches, the group’s network policy is returned. Where Device Compliance Check is enabled, EntryPoint additionally asks Entra whether the device is compliant in Intune before accepting.
Because group membership is read from Entra on every authentication, access tracks directory changes without rekeying or re-enrolling devices.
Who it is for
Section titled “Who it is for”Use this variant for employees on MDM-enrolled devices, and for BYOD scenarios where access should depend on both the user’s identity and the device’s compliance state. Access is governed centrally through Entra group membership rather than through self-service.
What it is not
Section titled “What it is not”This variant identifies users. For equipment where the device itself is trusted — unattended or headless gear — use EAP-TLS — Device certificate; for audiences with only passwords, use EAP-PEAP. A single context can run these alongside one another.
Prerequisites
Section titled “Prerequisites”- A Microsoft Entra connection on the context, and Intune where device compliance is required.
- A PKI issuing user certificates, the trusted CAs uploaded, and a CRL endpoint — see Certificates & PKI.
- The network equipment pointed at the context — see RADIUS clients & RadSec.
Where to go next
Section titled “Where to go next”- Entra mapping, user certs & Intune: how groups mirror Entra and how authentication resolves.
- Comparing variants: user certificate versus device certificate.