Jens Du Four

Connecting you to the cloud, one endpoint at a time

Cloud PKI in the Intune Suite: The Future Is Now

The Prelude: What Is Microsoft Intune?

Microsoft Intune isn’t just a buzzword—it’s a cloud-based symphony of endpoint management and security. Imagine a conductor orchestrating a harmonious blend of user access, app management, and device wizardry across a cosmic array of gadgets. We’re talking mobile devices, desktops, and even those elusive virtual endpoints (dare me to talk about Windows 365).

Now, imagine all these superpowers bundled into one cosmic cape—the Microsoft Intune Suite. It’s like assembling the Avengers, but for IT management.

  1. Remote Help: Imagine a digital lifeline connecting IT professionals to users in distress. With Intune’s Remote Help, troubleshoot issues, provide expert guidance, and rescue devices from the abyss.
  2. Endpoint Privilege Management: Picture a backstage pass at the nightclub. Endpoint Privilege Management ensures that only authorized users waltz through the VIP door. No more unauthorized gatecrashers.
  3. Advanced Analytics: Behold the crystal ball of data insights! Advanced Analytics peers into the mists, revealing patterns, anomalies, and hidden truths. It’s like having a detective on your team.
  4. Enterprise Application Management: Ever juggled a circus of apps? Fear not! Intune’s Enterprise Application Management tames the app menagerie. Deploy, update, and manage apps with finesse.
  5. Cloud PKI: Ah, our star of the show! Cloud PKI dances with digital certificates, whispering secrets of security and authentication. It’s the custodian of trust, and today, we’re shining a spotlight on it. 

Overview

Cloud PKI is your ticket to hassle-free certificate lifecycle management within the Microsoft Intune ecosystem. Imagine a world where you can create, revoke, and manage certificates without the burden of maintaining on-premises PKI infrastructure. Sounds like a dream, right? Well, it’s real, and it’s here to revolutionize your certificate game.

What Is Cloud PKI, Anyway?

Before we dive into the nitty-gritty, let’s demystify PKI. Public Key Infrastructure (PKI) is the backbone of secure communication. It uses digital certificates to authenticate and encrypt data between devices and services. Think VPNs, Wi-Fi, email, web traffic, and device identity—all powered by PKI magic.

However, managing PKI can be like herding digital cats. It’s complex, costly, and time-consuming, especially for organizations juggling multiple devices and users. That’s where Microsoft Cloud PKI swoops in like a caped crusader.

The Marvels of Microsoft Cloud PKI

  1. No On-Premises Servers Required: Say goodbye to racks of servers and tangled cables. Cloud PKI provides a dedicated PKI infrastructure without any on-premises fuss. No more late-night server patching—just pure cloud goodness.
  2. Certificate Lifecycle Made Easy: With Cloud PKI, issuing, renewing, and revoking certificates becomes a breeze. It’s like having a digital butler that handles all your certificate needs. Your Intune-managed devices will thank you.
  3. Accelerate Your Cloud Transformation: Cloud PKI aligns perfectly with your cloud-first strategy. It’s the turbo boost your organization needs to embrace the cloud without tripping over PKI hurdles.
  4. BYOCA (Bring Your Own CA): Got an existing PKI infrastructure? No problem! Anchor your Intune Issuing CA to your private CA through Active Directory Certificate Services or any non-Microsoft certificate service. It’s like merging the best of both worlds.
  5. Certificate Management with Finesse: Create a CA per Intune tenant, set up a 2-tier PKI hierarchy, and wield RBAC permissions like a pro. Plus, scope tags keep things organized—no more certificate chaos

Crafting a 2-Tier Cloud PKI Hierarchy

Creating the Root CA

Our journey begins with the Root Certificate Authority (CA). Think of it as the foundation—the bedrock of trust. Here’s how you lay the groundwork:

  • You can find the dashboard under “Tenant administration” -> “Cloud PKI”
  • After selecting the “create”-option, you give the new Root CA a name.
  • First option that we should verify is the “Validity period” of your CA.
  • Afterwards, we will select the EKU. Be aware that the “any” configuration is not supported, this is also not possible as a “Custom” EKU.
  • After filling in all the attributes, we have to select our key size and algorithm.

Creating the Intermediate CA

Now, let’s build an Intermediate CA. It’s like a bridge between the Root CA and the real world:

  • Repeat the same steps as above, where you start with naming the intermediate CA.
  • After selecting the Issuing CA, it is important to choose your Root CA source. It is possible to use the Intune Root CA, which we created, or to use a “Bring your own root CA”.
  • Be aware that when selecting the period this will be equal or less than the Root CA validity period.

Take note that the EKU of the Issuing CA is a subset of the Root CA EKU. This is the same with the key size and algorithm.

Enjoy the fruits of your labor

Now that we’ve established the necessary infrastructure in Intune, let’s explore how Certificate-Based Authentication (CBA) can enhance security and streamline user access.

Leveraging the CA for Certificate-Based Authentication

Adding the Root CA in Microsoft Entra ID

After surfing to “entra.microsoft.com”, you should navigate to “Protection” -> “Security Center”. Here you can find the “Certificate authorities”.

Through the upload button we will add both the Root and Intermediate CA to Microsoft Entra. Be aware to switch the “Is root certificate” flag and add the “Certificate Revocation List URL” which we found in the dashboard.

Afterwards, we should navigate to “Protection” -> “Authentication methods”, where we can configure

Trusting the CA through Microsoft Intune

Selecting “Certificate-based authentication” lets you configure this method for all users or a subset of users.

Under “Configure” you can change the protection level and add your Root CA as a “Certificate issuer”. Here you can also bind the certificate field to the user attribute for authentication.

Deploying the Certificates using Microsoft Intune

Now that we have successfully configured the Cloud PKI infrastructure and have added this to Microsoft Entra ID, we have to make sure that the certificates get pushed towards our endpoints.

For this we will be using Microsoft Intune. The process is fairly easy as we will be creating two configuration profiles:

  • One to add the Root CA as a trusted certificate
  • One to issue a certificate using SCEP (Simple Certificate Enrollment Protocol)
  • Create a profile for your relevant OS and use the templates. Select “Trusted certificate” and click “Create”.
  • Give the configuration policy a name.
  • Select your Root CA certificate which you can download from the Root CA dashboard in Cloud PKI. You can repeat this process for the intermediate CA.
  • After adding the trusted certificate for both the Root and Intermediate CA, we will publish the certificate to the endpoint.
  • Create a profile for your relevant OS and use the templates. Select “SCEP certificate” and click “Create”.
  • Give the configuration policy a name.

We will create a user certificate where the subject name format will be the username and the SAN attribute contains the “UserPrincipalName”. This will be used for the authentication. Make sure to select your preferred validity period, KSP, usages, key size and hash algorithms.

Finally, we will select the Root CA we added as a “Trusted certificate” above. As EKU, we will use “Client Authentication” as we are configuring CBA. At the bottom, we fill in the SCEP Server URL.

When all this is configured the Root and Intermediate CA should be trusted on the endpoint. Using SCEP, the endpoint will get a certificate issued to it. We can manage this certificate again through the Cloud PKI dashboard in Microsoft Intune.

The Practical Outcome of Cloud PKI

Your 2-tier PKI hierarchy is now operational—a bridge between trust and secure authentication. Devices wield certificates like digital passports, and users journey through gateways with confidence.

On the endpoint you can see if the certificates are present in the “Manage computer certificates” Control panel.

  • The Root CA can be found in the “Trusted Root Certification Authority” folder.
  • The Issuing CA can be found in the “Trusted Intermediate Certification Authority” folder.
  • The user certificate can be found in the “certmgr” under “Personal”.

When trying to authenticate on Office.com, we notice that the browser asks us to select the relevant certificate for CBA.

In the end, the user is logged in using the certificate.

Conclusion

I give Cloud PKI two enthusiastic 👍👍. It’s a game-changer for organizations seeking simplicity, security, and scalability. So go forth, my fellow tech adventurers, and explore the cloud-kissed realms of Microsoft Cloud PKI!

For more details, check out the official documentation.