Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Microsoft Intune adds support for Entrust Datacard and other third-party certification authorities

Intune Team's avatar
Intune Team
Icon for Microsoft rankMicrosoft
Sep 08, 2018

First published on CloudBlogs on Jul 30, 2018
One of the important security management responsibilities of Microsoft Intune is the ability to issue certificates to devices using the Simple Certificate Enrollment Protocol (SCEP). SCEP is an industry standard protocol implemented by most certification authorities to simplify large scale certificate issuance. We are pleased to announce Intune support for SCEP request validation using third-party certification authorities. Entrust Datacard is the first Microsoft partner solution to support this interoperability. Digital certificates have become increasingly popular to identify a user or device before granting access to corporate resources such as Wi-Fi and VPN access, web applications, and cloud storage. They are also used to encrypt and sign email, so recipients know they can trust the sender and only the intended recipients can read the message. Certificate-based authentication prevents untrusted devices (devices without certificates issued from a trusted source) from accessing the network, which is important with widespread use of bring-your-own-device (BYOD) and corporate-owned mobile devices in the modern workplace. Some of these devices may belong to external partners (contractors, vendors, temporary workers) who have legitimate requirement to access the corporate network but appear as “unknown devices” to the organization. To protect against ever-increasing and ever more sophisticated attacks, IT must ensure not only the right user has access to the right data—but that they're also using the right device. Digital certificates allow IT to embed a trusted identity onto users' mobile devices, with little to no change in user behavior. They enable a transparent and frictionless authentication experience, so users don’t have to enter domain credentials such as username and password to seek access each time. Intune provides a set of APIs that allow third-party certificate authorities to interoperate with our certificate delivery capabilities utilizing the SCEP protocol. Using these supported platforms, Intune admins may execute tasks such as issue certificates to new employees, renew certificates, and control which users and devices can access applications and networks. In the context of mobile devices, certificate requests are generally initiated by the device after receiving a certificate profile from Intune. Figure 1 below describes a simplified workflow of how Intune’s SCEP solution securely delivers certificates. Intune generates a dynamic challenge and some additional integrity check information, which is then encrypted and sent to the device. The integrity check information is used to ensure the integrity of the certificate issuance process, by making sure the subject, SAN, and other fields in the certificate signing request (CSR) received by SCEP server match the information in Intune. When the device reaches out to the SCEP server with the CSR and challenge, Intune validates the integrity of the CSR and dynamic challenge before the certificate is issued by the SCEP server.

Figure 1. Workflow summary for Intune SCEP certificate validation.

Like previously supported Active Directory Certificate Services, the new Intune and Entrust Datacard interoperability ensures no tampering occurs at any point in the certificate issuance process while using SCEP. Organizations can issue certificates via Entrust Datacard to provide seamless authentication to applications and on-premises resources, creating a user-friendly, flexible, and cost-effective experience. In addition to certificate-based authentication, Microsoft and Entrust will add support for other capabilities and scenarios, such as modern provisioning, secure email, and data protection. Microsoft engineers are also collaborating with other public key infrastructure (PKI) and certificate management providers to integrate their solutions with Intune’s SCEP validation API. Device certificates add an important layer of security for organizations adopting a modern workplace powered by Microsoft 365, including Intune, Azure Active Directory, and Office 365. It will be rolled out for general availability later this quarter. To learn more, contact your Microsoft and Entrust representatives, and review the documentation .

Updated May 11, 2021
Version 7.0
  • Charley Chell's avatar
    Charley Chell
    Copper Contributor

    This integration uses our SCEP service and a plugin extension that we co-developed with Microsoft. We are working on the step-by-step guide for publication in the next few weeks. Our customer support team is now aware of this timing. Thanks for flagging.

  • Yoav Kalo's avatar
    Yoav Kalo
    Copper Contributor

    I couldn't find any guidelines regarding how should the Entrust Datacard environment should be set up, for tenants who are currently only in Azure AD, and want to use Intune for certificate deployment, but don't have an environment currently set up in Entrust Datacard.

    We've even tried to ask Entrust's support about this and we're still waiting for an answer from them (been over a month).

  • I was hoping to see AzureAD and Office365 in the Protected Resources box :).  Any idea when we'll be able to use these client certificates to authenticate to Office365/AzureAD directly (ie. without Federation)?