Creating Policy with Ms. ADCS Requirement

This access policy is almost the same as the policy access with device certificate in here. It also leverages the functionality of verifying device certificate before accessing application/s but with one exception it requires certificate that only generated by Microsoft Active Directory Certificate Service (MS-ADCS). In other words, basically this is an added layer of verification which not any other generic device certification will do.

To enable this policy, you need to have admin user to create policy, please check these KB down below about Admin access:


  1. login to
  2. Go to Settings tab> ZTNA
  3. In Policies, click on New Policy button
  4. Once clicked, it will expand all the option for policy that can be use for application authorization
  5. You need to input the policy name because it's mandatory and must be unique to other policy
  6. Next, for this policy to working properly you need to toggle "Required device certificate" option and also toggle the "Require MS-ADCS Certificate Template OID"
  7. You need to add the MS-ADCS Certificate Template OID with the correct OID value based on your deployed ADCS. More information about MS-ADCS, please refer to official Microsoft KB in here
  8. As for the users groups, applications, categories, and configuration fill/choose with what you want to be mapped. Then click "Save"
  9. It will give you success notification when the policy has been added


To test the policy is successfully implemented or not, you need to ensure these things:

  • User that already created by admin, please refer to here
  • User already enrolled the MFA and can login properly, please refer to here
  • Admin already input the trusted certificate in the configuration, please refer to here
  • Adding your client certificate in your devices
    • Windows, refer to here
    • MacOS, refer to here
    • Linux (Ubuntu), refer to here
  • Your favorite web browser to open User Portal

Once you login to user portal, then you will shown all the application that your user could access

Click on the application that already mapped with device certificate access policy

Then the new browser tab will be open, and asked you which device certificate to use to open the application

If it's correct, then you can access your application normally

If not, then you will get this unauthorized error message on the web page