Hi.
I've followed the instructions here and here to configure Azure AD/Office 365 for certificate based authentication for modern authentication apps.
My on prem CA is two-tier with offline Root and two Intermediates and the instructions doesn't really go into any depth on how to configure this, so what I've done is use the example to create three trusted certificate authorities, one for the root with the AuthorityType set to 0 and two for the intermediates with AuthorityType set to 1 (trial and error FTW).
I've verified that the CRLs are accessible from the Internet for both the root and intermediates, and TrustedIssuer on all three seems to be correct which leads me to believe that the TrustedCertificate is uploaded in the correct format.
I can access on prem web resources using cert auth from my test phone, so the 2012R2 ADFS farm and my client certificate are verified to be working.
In my test scenario for O365 I'm using the browser to access Sharepoint Online to minimise the number of possible problem areas. Obviously I've tried the OneDrive app with Azure Authenticator installed as suggested in the blog post but it doesn't give me any error messages, it just hangs on an empty screen after selecting the X.509 cert, hence the test scenario using the browser. Better feedback.
When trying to access Sharepoint I get rerouted to my on prem ADFS as I should, I get to select the client certificate, I get authenticated by ADFS and rerouted back to O365, but login.microsoftonline.com throws an error message:
AADSTS50017: Cannot find issuing certificate in trusted certificates list.
I've verified that the claim http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer is sent to O365, and that the value of the claim corresponds to the TrustedIssuer field on the intermediate AzureADTrustedCertificateAuthority I've configured.
I'd appreciate any suggestions.
Thanks.