Add partner certification authority in Intune using SCEP

Important

To support Windows requirements for strong mapping of SCEP certificates that were introduced and announced in KB5014754 from May 10, 2022 we’ve made changes to Intune SCEP certificate issuance for new and renewed SCEP certificates. With these changes, new or renewed Intune SCEP certificates for iOS/iPadOS, macOS, and Windows now include the following tag in the Subject Alternative Name (SAN) field of the certificate: URL=tag:microsoft.com,2022-09-14:sid:<value>

This tag is used by strong mapping to tie a certificate to a specific device or user SID from Entra ID. With this change and requirement to map a SID from Entra ID:

  • Device certificates are supported for Windows hybrid-joined devices when that device has a SID in Entra ID that has been synchronized from an on-premises Active Directory.
  • User certificates use the User's SID from Entra ID, synced from on-premises Active Directory.

Certification Authorities (CAs) that do not support the URL tag in the SAN might fail to issue certificates. Microsoft Active Directory Certificate Services servers that installed the update from KB5014754 support the use of this tag. If you use a third-party CA, check with your CA provider to ensure they support this format, or how and when this support will be added.

For more information, see Support tip: Implementing strong mapping in Microsoft Intune certificates - Microsoft Community Hub.

Use third-party certification authorities (CA) with Intune. Third-party CAs can provision mobile devices with new or renewed certificates by using the Simple Certificate Enrollment Protocol (SCEP), and can support Windows, iOS/iPadOS, Android, and macOS devices.

There are two parts to using this feature: open-source API, and the Intune administrator tasks.

Part 1 - Use an open-source API
Microsoft created an API to integrate with Intune. Through the API you can validate certificates, send success or failure notifications, and use SSL, specifically SSL socket factory, to communicate with Intune.

The API is available on the Intune SCEP API public GitHub repository for you to download, and use in your solutions. Use this API with third-party SCEP servers to run custom challenge validation against Intune before SCEP provisions a certificate to a device.

Integrate with Intune SCEP management solution provides more details on using the API, its methods, and testing the solution you build.

Part 2 - Create the application and profile
Using a Microsoft Entra application, you can delegate rights to Intune to handle SCEP requests coming from devices. The Microsoft Entra application includes application ID and authentication key values that are used within the API solution the developer creates. Administrators then create and deploy SCEP certificates profiles using Intune and can view reports on the deployment status on the devices.

This article provides an overview of this feature from an Administrator-perspective, including creating the Microsoft Entra application.

Overview

The following steps provide an overview of using SCEP for certificates in Intune:

  1. In Intune, an administrator creates a SCEP certificate profile, and then targets the profile to users or devices.
  2. The device checks in to Intune.
  3. Intune creates a unique SCEP challenge. It also adds additional integrity-check information, such as what the expected subject and SAN should be.
  4. Intune encrypts and signs both the challenge and integrity-check information, and then sends this information to the device with the SCEP request.
  5. The device generates a certificate signing request (CSR) and public/private key pair on the device based on the SCEP certificate profile that's pushed from Intune.
  6. The CSR and encrypted/signed challenge are sent to the third-party SCEP server endpoint.
  7. The SCEP server sends the CSR and the challenge to Intune. Intune then validates the signature, decrypts the payload, and compares the CSR to the integrity-check information.
  8. Intune sends back a response to the SCEP server, and states whether the challenge validation is successful or not.
  9. If the challenge is successfully verified, then the SCEP server issues the certificate to the device.

The following diagram shows a detailed flow of third-party SCEP integration with Intune:

How third-party certification authority SCEP integrates with Microsoft Intune

Set up third-party CA integration

Validate third-party certification authority

Before integrating third-party certification authorities with Intune, confirm that the CA you're using supports Intune. Third-party CA partners (in this article) includes a list. You can also check your certification authority's guidance for more information. The CA may include setup instructions specific to their implementation.

Note

To support the following devices, the CA must support the use of an HTTPS URL when you configure you must configure an HTTPS URL when you configure SCEP Server URLs for the SCEP certificate profile:

  • Android device administrator
  • Android Enterprise device owner
  • Android Enterprise corporate-owned work profile
  • Android Enterprise personally-owned work profile

Authorize communication between CA and Intune

To allow a third-party SCEP server to run custom challenge validation with Intune, create an app in Microsoft Entra ID. This app gives delegated rights to Intune to validate SCEP requests.

Be sure you have the required permissions to register a Microsoft Entra app. See Required permissions, in the Microsoft Entra documentation.

Create an application in Microsoft Entra ID

  1. In the Azure portal, go to Microsoft Entra ID > App Registrations, and then select New registration.

  2. On the Register an application page, specify the following details:

    • In the Name section, enter a meaningful application name.
    • For the Supported account types section, select Accounts in any organizational directory.
    • For Redirect URI, leave the default of Web, and then specify the sign-on URL for the third-party SCEP server.
  3. Select Register to create the application and to open the Overview page for the new app.

  4. On the app Overview page, copy the Application (client) ID value and record it for later use. You'll need this value later.

  5. In the navigation pane for the app, go to Certificates & secrets under Manage. Select the New client secret button. Enter a value in Description, select any option for Expires, and then and choose Add to generate a value for the client secret.

    Important

    Before you leave this page, copy the value for the client secret and record it for later use with your third-party CA implementation. This value is not shown again. Be sure to review the guidance for your third-party CA on how they want the Application ID, Authentication Key, and Tenant ID configured.

  6. Record your Tenant ID. The Tenant ID is the domain text after the @ sign in your account. For example, if your account is admin@name.onmicrosoft.com, then your tenant ID is name.onmicrosoft.com.

  7. In the navigation pane for the app, go to API permissions, which are under Manage. You're going to add two separate application permissions:

    1. Select Add a permission:

      1. On the Request API permissions page, select Intune and then select Application permissions.
      2. Select the checkbox for scep_challenge_provider (SCEP challenge validation).
      3. Select Add permissions to save this configuration.
    2. Select Add a permission again.

      1. On the Request API permissions page, select Microsoft Graph > Application permissions.
      2. Expand Application and select the checkbox for Application.Read.All (Read all applications).
      3. Select Add permissions to save this configuration.
  8. Remain on the API permissions page, and select Grant admin consent for <your tenant>, and then select Yes.

    The app registration process in Microsoft Entra ID is complete.

Configure and deploy a SCEP certificate profile

As the administrator, create a SCEP certificate profile to target to users or devices. Then, assign the profile.

Removing certificates

When you unenroll or wipe the device, the certificates are removed. The certificates aren't revoked.

Third-party certification authority partners

The following third-party certification authorities support Intune:

If you're a third-party CA interested in integrating your product with Intune, review the API guidance:

See also