Support tip: Implementing strong mapping in Microsoft Intune certificates

bjulian : The way it worked in February was this: You didn't have to configure anything, in fact you couldn't. The SID SAN URI was added automatically to all requests where the corresponding Entra ID object, e.g. a synched user, had a SID value.

Now the announcement says that there will be a opt-in or opt-out model and it is planned for September. I haven't seen the implementation yet, but I hope for something similar to what AndresMoralesamf5979 and MeijuXing had in mind and you are suggesting. Then again, the Intune team wants to reach as many customers as possible before AD enforces the strong mapping to keep customer disruption as low as possible, so maybe it will be just a checkbox and it will be checked by default. AFAIK, the reason the initial rollout was stopped was that the additional SAN value caused problems within Intune (encoding issues with too many SAN values) or with applications using the certificate (unexpected SAN value). So maybe they are going for the SID extension instead of the SID SAN value; the extension doesn't cause these issues and it is the same as what the on-prem ADCS and SCEPman are doing right now. For SCEPman and other PKIs, it is a configuration switch in the PKI, not in the Intune profile.