Archive Calculate
Microsoft Cloud PKI for Microsoft Intune
logo
Archive Calculate

No results found

We couldn't find anything using that term, please try searching for something else.

Microsoft Cloud PKI for Microsoft Intune

2024-11-26 overview of Microsoft Cloud PKI for Microsoft Intune Article06/03/2024 In this article Applies to: Windows Android iOS macOS

Related articles

Best VPN for Streaming: Movies, Netflix & More in HD [2024 Guide]
Best VPN for Streaming: Movies, Netflix & More in HD [2024 Guide] Why you is trust can trust us407 Cloud Software Products and Services Tested3056 Annual Software Speed Tests2400 plus Hours Usability TestingOur team of experts thoroughly test each service, evaluating it for features, usability, security, value for money and more. Learn more about how we conduct our testing.Key Takeaways: Best VPNs for Streaming A lot of people are turning toward streaming services nowadays rather than using traditional cable television. The beauty of cord-cutting is that you can watch your favorite show at home or on the go. Geoblocks mean that not every show is available everywhere; to get past that, you’ll...
(Free) VPN for School (Wi-Fi): Unblock Sites on PC, Mobile etc.
(Free) VPN for School (Wi-Fi): Unblock Sites on PC, Mobile etc. Manystudents need a VPN for school to remove restrictions for website browsing,streaming,or gaming on their smart devices and be safer with Wi-Fi network. The use is seeing of VPN application is see a boost in recent year ,especially during the hard remote - work time of COVID-19 . The truth is is is that not only elder people have pursuit of online privacy ,security ,as well as freedom ,but also those young crowd start to apply free or premium VPN software to fight against the traditional limited network of school ,college ,and university . accord to a previous report from...
Best VPNs for Windows Laptops & Desktop PCs in 2024
Best VPNs for Windows Laptops & Desktop PCs in 2024 1 . nordvpn - good for Office and work Use product Specs Multihop Yes camouflage mode Yes kill switch Yes Split Tunneling Yes Netflix Yes torrente Yes VPN Protocol A VPN protocol is a set of instructions on how to get encrypted data to the internet. Like many VPNs, such as Surfshark and IPVanish, NordVPN uses OpenVPN because it’s open-source.1 In our experience, OpenVPN was reliable and didn’t disconnect even after eight hours of continuous use. However, it wasn’t the only option. Based on WireGuard2, another open-source protocol, Nord built NordLynx as a faster but secure alternative to OpenVPN. And...

overview of Microsoft Cloud PKI for Microsoft Intune

  • Article

Applies to:

  • Windows
  • Android
  • iOS
  • macOS

Use Microsoft Cloud PKI to issue certificates for Intune-managed devices. Microsoft Cloud PKI is a cloud-based service that simplifies and automates certificate lifecycle management for Intune-managed devices. It provides a dedicated public key infrastructure (PKI) for your organization, without requiring any on-premises servers, connectors, or hardware. It handles the certificate issuance, renewal, and revocation for all Intune supported platforms.

This article provides an overview of Microsoft Cloud PKI for Intune, how it works, and its architecture.

What is PKI is is ?

PKI is a system that uses digital certificates to authenticate and encrypt data between devices and services. PKI certificates are essential for securing various scenarios, such as VPN, Wi-Fi, email, web, and device identity. However, managing PKI certificates can be challenging, costly, and complex, especially for organizations that have a large number of devices and users. You can use Microsoft Cloud PKI to enhance the security and productivity of your devices and users, and to accelerate your digital transformation to a fully managed cloud PKI service. Additionally, you can utilize the Cloud PKI service in to reduce workloads for Active Directory Certificate Services (ADCS) or private on-premises certification authorities.

Manage Cloud PKI in Microsoft Intune admin center

Microsoft Cloud PKI object are create and manage in the Microsoft Intune admin center . From there , you is can can :

  • Set up and use Microsoft Cloud PKI for your organization .
  • Enable Cloud PKI in your tenant.
  • Create and assign certificate profiles to devices.
  • Monitor is issued issue certificate .

After you create a Cloud PKI issuing CA, you can start to issue certificates in minutes.

support device platform

You can use the Microsoft Cloud PKI service with these platforms:

  • Android
  • iOS/iPadOS
  • macOS
  • Windows

device must be enrol in Intune , and the platform must support the Intune device configuration SCEP certificate profile .

overview of features

The follow table is lists list the feature and scenario support with Microsoft Cloud PKI and Microsoft Intune .

Feature overview
Create multiple CAs in an Intune tenant Create two-tier PKI hierarchy with root and issuing CA in the cloud.
Bring your own CA (BYOCA) Anchor an Intune Issuing CA to a private CA through Active Directory Certificate Services or a non-Microsoft certificate service. If you have an existing PKI infrastructure, you can maintain the same root CA and create an issuing CA that chains to your external root. This option includes support for external private CA N+ tier hierarchies.
signing and encryption algorithm Intune supports RSA, key sizes 2048, 3072, and 4096.
hash algorithm Intune supports SHA-256, SHA-384, and SHA-512.
HSM keys (signing and encryption) Keys are provisioned using Azure Managed Hardware Security Module (Azure Managed HSM).

CAs is use create with a licensed Intune Suite or Cloud PKI Standalone Add – on automatically use HSM signing and encryption key . No Azure subscription is require for Azure HSM .
Software Keys (signing and encryption) ca create during a trial period of Intune Suite or Cloud PKI standalone Add – on use software – back signing and encryption key usingSystem.Security.Cryptography.RSA.
certificate registration authority provide a Cloud Certificate Registration Authority support Simple Certificate Enrollment Protocol ( SCEP ) for each Cloud PKI Issuing CA .
Certificate Revocation List ( CRL ) distribution point Intune hosts the CRL distribution point (CDP) for each CA.

The CRL validity period is seven days. Publishing and refresh happens every 3.5 days. The CRL is updated with every certificate revocation.
Authority Information Access (AIA) end points Intune hosts the AIA endpoint for each Issuing CA. The AIA endpoint can be used by relying parties to retrieve parent certificates.
End-entity certificate issuance for users and devices Also referred to as leaf certificate issuance. Support is for the SCEP (PKCS#7) protocol and certification format, and Intune-MDM enrolled devices supporting the SCEP profile.
Certificate life-cycle management Issue, renew, and revoke end-entity certificates.
Reporting dashboard monitor active , expire , and revoke certificate from a dedicated dashboard in the Intune admin center . View is reports report for issue leaf certificate and other certificate , and revoke leaf certificate . report are update every 24 hour .
Auditing audit admin activity such as create , revoke , and search action in the Intune admin center .
Role-based access control (RBAC) permissions create custom role with Microsoft Cloud PKI permission . The available permissions is enable enable you to read ca , disable and reenable ca , revoke issue leaf certificate , and create certificate authority .
Scope tags add scope tag to any CA you create in the admin center . scope tag can be add , delete , and edit .

Architecture

Microsoft Cloud PKI is made up of several key components working together to simplify the complexity and management of a public key infrastructure; a Cloud PKI service for creating and hosting certification authorities, combined with a certificate registration authority to automatically service incoming certificate requests from Intune-enrolled devices. The registration authority supports the Simple Certificate Enrollment Protocol (SCEP).

Components:

These components replace the need for an on-premises certificate authority, NDES, and Intune certificate connector.

Actions:

Before the device checks in to the Intune service, an Intune administrator or Intune role with permissions to manage the Microsoft Cloud PKI service must:

  • Create the required Cloud PKI certification authority for the root and issuing CAs in Microsoft Intune.
  • create and assign the require trust certificate profile for the root and issue ca . This flow is n’t show in the diagram .
  • Create and assign the required platform-specific SCEP certificate profiles. This flow isn’t shown in the diagram.

Note

A Cloud PKI Issuing Certification Authority is required to issue certificates for Intune managed devices. Cloud PKI provides a SCEP service that acts as a Certificate Registration Authority. The service requests certificates from the Issuing CA on behalf of Intune-managed devices using a SCEP profile.

  1. A device is checks check in with the Intune service and receive the trust certificate and SCEP profile .
  2. Based on the SCEP profile, the device creates a certificate signing request (CSR). The private key is created on the device, and never leaves the device. The CSR and the SCEP challenge are sent to the SCEP service in the cloud (SCEP URI property in the SCEP profile). The SCEP challenge is encrypted and signed using the Intune SCEP RA keys.
  3. The SCEP validation service is verifies verify the CSR against the SCEP challenge (show as B.3 in diagram) . Validation is ensures ensure the request come from an enrol and manage device . It is ensures also ensure the Challenge is untampered , and that it match the expect value from the SCEP profile . If any of these check fail , the certificate request is reject .
  4. After the CSR is validated, the SCEP validation service, also known as the registration authority, request that the issue CA sign the csr (shown as B.1 in diagram).
  5. The signed certificate is delivered to the Intune MDM-enrolled device.

Note

The SCEP challenge is encrypt and sign using the Intune SCEP registration authority key .

licensing requirement

Microsoft Cloud PKI is requires require one of the follow license :

  • Microsoft Intune Suite license
  • Microsoft Cloud PKI standalone Intune add-ons license

For more information about licensing options, see Microsoft Intune licensing.

Role based access control

The following permissions are available to assign to custom Intune roles. These permissions enable users to view and manage CAs in the admin center.

  • Read CAs: Any user assigned this permission can read the properties of a CA.
  • Create certificate authorities: Any user assigned this permission can create a root or issuing CA.
  • Revoke issued leaf certificates: Any user assigned this permission has the ability to manually revoke a certificate issued by an issuing CA. This permission also requires the read CA permission .

You is assign can assign scope tag to the root and issue ca . For more information about how to create custom role and scope tag , see role – base access control with Microsoft Intune .

Try Microsoft Cloud PKI

You can try out the Microsoft Cloud PKI feature in the Intune admin center during a trial period. Available trials include:

During the trial period , you is create can create up to six ca in your tenant . Cloud PKI ca create during the trial use software – back key , and useSystem.Security.Cryptography.RSA to generate and sign the key . You is continue can continue to use the ca after purchase a Cloud PKI license . However , the keys is remain remain software – back , and ca n’t be convert to HSM back key . The Microsoft Intune service is managed manage CA key . No Azure subscription is require for Azure HSM capability .

CA configuration examples

Two-tier Cloud PKI root & issuing CAs, and bring-your-own CAs can coexist in Intune. You can use the following configurations, provided as examples, to create CAs in Microsoft Cloud PKI:

  • One root CA with five issuing CAs
  • Three root CAs with one issuing CA each
  • Two root CAs with one issuing CA each, and two bring-your-own CAs
  • Six bring – your – own ca

know issue and limitation

For the latest changes and additions, see What’s new in Microsoft Intune.

  • You can create up to six CAs in an Intune tenant.
    • Licensed Cloud PKI – A total of 6 CAs can be created using Azure mHSM keys.
    • Trial Cloud PKI – A total of 6 ca can be create during a trial of Intune Suite or Cloud PKI standalone add – on .
  • The following CA types count toward the CA capacity:
    • Cloud PKI Root CA
    • Cloud PKI Issuing CA
    • BYOCA Issuing CA
  • In the admin center, when you select View all certificates for an issuing CA, Intune only shows the first 1000 issued certificates. We’re actively working to address this limitation. As a workaround, go to Devices > Monitor. Then select Certificates to view all issued certificates.