Azure Certificate Based Authentication for Citrix FAS Breaks Windows Hello PIN Provisioning Process

I have Citrix FAS implemented at some of my clients that are using Azure Authentication with Citrix Cloud. Since Citrix doesn’t have the user’s credentials after login, FAS allows SSO to virtual desktops and published apps by presenting a user certificate for authentication. It works pretty well, except when you are trying to do SSO within a virtual desktop to Microsoft 365 apps. Azure doesn’t trust the certificate that FAS issued, so there is no PRT and thus no SSO.

Microsoft’s Azure Certificate Based Authentication (CBA) is the answer to that. When you enable it you upload a copy of your root and any intermediate CA certificates, so Azure now trusts them. FAS SSO problem solved.

Of course, every solution seems to have another problem! I work in an environment where all computers are Intune Autopilot provisioned with Windows Hello setup required. When the user goes through the Windows Hello setup wizard it requires MFA in order to create the PIN. Normally if the user does not have MFA set up it walks them thru choosing and setting up an MFA method. When the user is in a group that enables Certificate Based Authentication to be used the Windows Hello provisioning process prompts them to log in but only presents a prompt for a certificate:

Microsoft warns about this in their Certificate Based Authentication documentation:

Curious if anyone else has run into this. Right now, the only solution I can think of is to remove the user from the group that enables CBA temporarily while they set up their new device. Got an idea? Let me know.

For additional information:

Citrix FAS: Federated Authentication Service 2305 | Federated Authentication Service (citrix.com)

Microsoft CBA: How to configure Azure AD certificate-based authentication – Microsoft Entra | Microsoft Learn