Skip to content
EAP-TLS with Entra

EAP-TLS with Entra overview

EAP-TLS with Entra authenticates the person. The certificate names the user, and access follows the user’s group membership in Microsoft Entra ID, resolved on every authentication. Pair it with Microsoft Intune to gate access on device compliance. It is the variant for employees on managed devices, with no passwords on the wire and no per-user accounts to maintain — just Entra groups and certificates.

At a glance

Credential
A certificate that names the user (user certificate)
Identity source
Microsoft Entra ID group membership
Compliance
Optional Microsoft Intune device-compliance check
Best for
Employees on MDM-enrolled devices; BYOD gated on compliance
Self-service
Central administration
Status
Available

Each user’s device carries a certificate whose subject identifies the person. On authentication, EntryPoint validates the certificate against the context’s trusted CAs, reads the user from the certificate, and confirms the user’s membership of the mapped Microsoft Entra group. If the membership matches, the group’s network policy is returned. Where Device Compliance Check is enabled, EntryPoint additionally asks Entra whether the device is compliant in Intune before accepting.

Because group membership is read from Entra on every authentication, access tracks directory changes without rekeying or re-enrolling devices.

Use this variant for employees on MDM-enrolled devices, and for BYOD scenarios where access should depend on both the user’s identity and the device’s compliance state. Access is governed centrally through Entra group membership rather than through self-service.

This variant identifies users. For equipment where the device itself is trusted — unattended or headless gear — use EAP-TLS — Device certificate; for audiences with only passwords, use EAP-PEAP. A single context can run these alongside one another.

Next