802.1X Authentication With Entra ID (Azure AD): Cloud RADIUS and Real-Time Identity Lookup

Watch the full explainer video: 802.1X and Azure AD: WiFi Authentication with Entra ID + SecureW2

802.1X authentication is the standard for securing enterprise Wi-Fi and wired networks. But for organizations running Microsoft Entra ID (formerly Azure AD) as their identity provider, the traditional 802.1X stack of on-premises NPS, Active Directory and AD CS creates a gap between where identities live (the cloud) and where authentication happens (a server in your data center).

That gap introduces complexity, latency and blind spots. This article covers what changes when you move RADIUS and PKI to the cloud and connect them directly to Entra ID. We’ll also explain why real-time identity lookup during authentication matters more than most organizations realize.

What Is 802.1X Authentication?

802.1X is an IEEE standard for port-based network access control (PNAC) that requires devices to verify identity at the network edge before granting access to LAN or WLAN resources. The standard defines how devices authenticate before gaining access to a wired or wireless network. Three components make up every 802.1X transaction:

• Supplicant: The device requesting access (laptop, phone, IoT device)
• Authenticator: The network hardware enforcing access (wireless access point, switch)
• Authentication server: The RADIUS server that validates credentials and returns an access decision

The supplicant presents credentials to the authenticator, in the form of a username/password or a digital certificate. The authenticator forwards that request to the RADIUS server. The RADIUS server checks the credentials against an identity source and tells the authenticator whether to grant or deny access.

The security of the entire chain depends on two things: how strong the credentials are, and how much the RADIUS server knows about the user and device at the moment of authentication.

EAP Methods: How 802.1X Validates Identity

802.1X uses the Extensible Authentication Protocol (EAP) to define how credentials are exchanged. The EAP method you choose determines both the security posture and operational burden of your deployment.

EAP-TLS is the strongest option for Entra ID environments because it removes passwords from the authentication flow entirely. The device presents a certificate, and the RADIUS server validates it against a trusted certificate authority. No credential crosses the wire.

The Problem With On-Premises 802.1X for Entra ID Environments

Most organizations that adopted Entra ID did so to move identity management to the cloud. But 802.1X authentication still depends on on-prem infrastructure in many of those environments.

Microsoft Network Policy Server (NPS), the most common Windows RADIUS server, was designed to authenticate against Active Directory. It does not talk to Entra ID natively. To bridge that gap, organizations resort to workarounds:

• Azure AD Connect/AD sync: Keep an on-prem AD instance as the source of truth and sync identities up to Entra ID, so NPS can continue to read AD locally.
• LDAP proxies: Stand up an LDAP interface that translates Entra ID data into a format NPS can consume. Another server to maintain, monitor and patch.
• PEAP-MSCHAPv2 with passwords: Use password-based 802.1X protocols because they are easier to configure with legacy RADIUS. This leaves Wi-Fi authentication vulnerable to credential theft, phishing and man-in-the-middle attacks.

Each workaround adds infrastructure, attack surface and ongoing maintenance. And none of them solves the core issue: NPS has no awareness of Entra ID identity context at authentication time.

How Cloud RADIUS Changes 802.1X Authentication

A cloud-native RADIUS service eliminates the on-prem stack and connects directly to Entra ID. No need for NPS, AD Connect or LDAP proxy. The RADIUS server talks to Entra ID the same way your other cloud applications do.

Here is how the authentication flow works when you pair JoinNow Cloud RADIUS with JoinNow Dynamic PKI:

• Certificate enrollment: A managed device receives a digital certificate through Intune using the third-party CA SCEP integration. During issuance, the device is validated against Intune, confirming it is managed and compliant before the certificate is granted.
• Wi-Fi connection: The device connects to the 802.1X network and presents its certificate to the access point.
• RADIUS authentication: The access point forwards the certificate to Cloud RADIUS.
• Real-time identity lookup: Cloud RADIUS reads the attributes embedded in the certificate, such as user email, device ID and group membership, and then queries Entra ID directly to verify the user’s current status. Is the account active? Is the device still compliant? Has anything changed since enrollment?
• Access decision: Based on the real-time lookup, Cloud RADIUS returns an accept or reject decision to the access point, along with any dynamic VLAN or policy assignments.

Real-Time Identity Lookup on Every Authentication

Traditional RADIUS servers validate the credential presented at authentication time. If the credential is valid, meaning the password is correct and the certificate is not expired, then access is granted. What happens between authentications is invisible.

Cloud RADIUS with real-time identity lookup changes that model. On every authentication event, the RADIUS server checks the identity provider to answer questions that static credential validation cannot:

• Is the user still active? If an employee was terminated an hour ago and their Entra ID account is disabled, Cloud RADIUS denies the next authentication attempt, even if the certificate on the device is technically still valid.
• Is the device still compliant? If Intune marks a device as non-compliant (missing patches, jailbroken, encryption disabled), Cloud RADIUS can see that status and restrict access.
• Has group membership changed? If a user moved from the engineering department to a contractor role, Cloud RADIUS can dynamically assign the appropriate VLAN or access policy based on current Entra ID group membership.

This is the difference between checking a credential and checking an identity. Credentials are static artifacts. Identity is a live signal.

IoT and Headless Device Authentication

Not every device on a network can present a certificate or enter a password. Printers, sensors, badge readers and other headless devices lack a user interface for 802.1X enrollment. These devices still need network access, and they need to be segmented away from user traffic.

Cloud RADIUS handles non-802.1X devices through MAC Authentication Bypass (MAB) and device profiling. When a device connects without 802.1X credentials, Cloud RADIUS identifies it by MAC address, checks it against a known device inventory and assigns it to an IoT or restricted VLAN. The device gets the connectivity it needs without being placed on the same segment as managed endpoints.

This approach keeps IoT devices off the corporate VLAN while maintaining a single authentication infrastructure for both 802.1X and non-802.1X traffic.

Cross-Directory Flexibility

With certificate-based 802.1X and Cloud RADIUS, the system that issues certificates doesn’t need to be the same system that verifies user identity.

For example, imagine that your organization uses Intune to manage devices and pushes SCEP certificates through the Intune third-party CA integration. But your user directory is Okta, not Entra ID. As long as the user’s email address is embedded in the certificate, Cloud RADIUS can check the user’s status in Okta on every authentication, even though the certificate came from an Intune-managed enrollment.

The same flexibility applies in reverse. You can validate device compliance in any supported MDM, like Intune, Jamf, Google Workspace or Kandji, regardless of which IdP issued the user identity attributes in the certificate.

This decoupling matters for organizations that:

• Run hybrid identity environments with different IdPs for different user populations
• Are mid-migration from one IdP to another (AD to Okta, Google to Entra ID)
• Use one MDM for corporate devices and a different onboarding path for BYOD

Certificate Security and Device Posture Enforcement

Issuing certificates is only half the problem. Keeping certificates trustworthy over their lifetime is the other half.

Cloud PKI paired with Cloud RADIUS enables continuous posture checks through integrations with endpoint security platforms like Microsoft Defender and CrowdStrike. These checks happen outside the authentication event itself:

• Device posture monitoring: If Defender flags a device as compromised or CrowdStrike detects suspicious behavior, the certificate associated with that device can be suspended before the next authentication attempt.
• Spoofed certificate detection:CertIQ ML Anomaly Detection monitors certificate usage patterns and flags anomalies — such as a certificate appearing on a device that does not match the original enrollment context. If a certificate is copied or exported to an unauthorized device, you get an alert.
• Automated revocation: When a device falls out of compliance or a user is offboarded, certificate suspension or revocation happens programmatically. There is no manual CRL update or helpdesk ticket.

The combination of real-time identity lookup (at authentication) and continuous posture enforcement (between authentications) means that a compromised or stolen certificate has a short window of usefulness, if it works at all.

On-Prem NPS vs. Cloud RADIUS for Entra ID Environments

Organizations running Entra ID as their primary identity provider gain the most from moving RADIUS to the cloud, because it eliminates the AD sync dependency that NPS requires.

Move 802.1X Authentication to the Cloud With SecureW2

If your organization runs Entra ID and Intune, you already have the identity and device management infrastructure in place. The missing piece is a RADIUS and PKI layer that connects to those systems natively, without forcing you to maintain on-prem servers or sync identities backward into Active Directory.

SecureW2 JoinNow Cloud RADIUS and JoinNow Dynamic PKI integrate directly with Entra ID and Intune to deliver certificate-based 802.1X authentication with real-time identity verification on every connection. It works with the existing 802.1X authentication infrastructure you already have, and pairs with Intune 802.1X enrollment for automated certificate deployment.

Schedule a demo to see how cloud-native 802.1X works with your Entra ID environment.