Scott Duffey has put together some excellent articles (four parts in total) around setting up Azure AD based CBA, and deploying certificates to mobile devices. It’s worked really well as a guideline for me in setting up certificate based authentication in production environments – however, there’s one scenario that isn’t covered in these articles, and if you’re running a two-tier PKI architecture, you’re going to have some headaches.
Part 2 of the series discusses how to configure your Azure AD as a Certification Authority, but it only shows you how to add your root CA as your trusted certificate authority. If you have a Root CA and an Enterprise or Intermediate CA, you need to upload both certificates into Azure AD. Without this step, your CBA won’t work because your certificate trust chains won’t properly build out. Also, make sure that you publish all required CRLs – if you have a Root CA as well as an Intermediate or Enterprise CA, make sure that both CRLs are publicly available, as you’re going to be setting those URLs using the PowerShell script below.
# Find existing Certification Authority
Get-AzureADTrustedCertificateAuthority | FL
# Install Root CA (AuthorityType=0). CRL Distribution Point should be the CRL of the Root CA
$rootcert=Get-Content -Encoding byte “C:usersusernameDesktopAzureCARootCA.cer”
$new_rootca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_rootca
# Install Enterprise CA (AuthorityType=1). CRL Distribution Point should be the CRL of the Enterprise CA
$entcert=Get-Content -Encoding byte “C:usersusernameDesktopAzureCAEntCA.cer”
$new_entca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_entca
# Remove existing Certification Authority –  for first cert,  for second, etc.
Remove-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c
The important key above is using the AuthorityType=0 for your Root CA, and AuthorityType=1 for your Enterprise CA. I also added a section that will allow you to clear out your certificates and start over if you need to – just use  to remove your first cert, and  to remove your second.
Hope this helps!