MicrosoftJust if anyone is interested: I've developed a custom AD CS "SID Policy Module" that adds support for new proprietary extension in offline templates. That is, if request comes from trusted requester (e.g. Intune/NDES service account) and includes target identity information (via UPN or SAN DNS), the module will automatically include new SID extension in issued certificate. This change doesn't require any changes from Intune/NDES side. You have a great level of control on when SID value is passed to issued certificate.
Since subject names are not validated in offline requests, default approach opens a door for account spoofing via unvalidated offline requests. To protect CA, SID Policy Module provides functionality to handle cases when incoming request contains potentially spoofed SID information and sent from untrusted source. This includes original Microsoft proprietary extension and new SAN URL option. You can explore and try my policy module (open-source and free for use) in GitHub: https://github.com/PKISolutions/ADCS-SID-Extension-Policy-Module
