Event details
69 Comments
- I am interested in seeing how CLM products would integrate into this platform, and understanding the CRL/OCSP support. As others have said, this seems like only a part of the journey, and having complete support for auto enrolment/user and device certificates would go much further toward removing hybrid PKI deployments.
- Im fairly certain that several market leading CA agnostic CLM providers, will add Intune PKI to their list of supported CAs. Especially since Microsoft will most certainly lack functionality if only to support niche markets
- We use SCEPMan and RADIUSaaS but I'm very open for other solutions but as some already pointed out we also need "Cloud Radius". We have some customers that use Linux computers so I'm very interested in if this solution in any way can supply a certificate to at least a Ubuntu device (Intune managed). There might also be printers and other devices on the network that need a certificate. Hope to get some of that answered.
- 2 USD per user sounds pricy. We use SCEPMan and RADIUSaaS which is very easy to setup and has worked very well. Pricing there is somewhere between 0,3-0,5 USD per user. Looking forward to see what this new PKI service will offer but I doubt we will switch if pricing is 2 USD per user.
- A colleague remarked, "who wants cloud PKI without cloud RADIUS?" - I think he might be right. Why would anyone pay a premium for half a network access solution when other vendors can do the entire package at a lower cost?
This is an interesting feature but the pricing point becomes prohibitive for larger enterprises due to lack of tiered discounts, e.g.
- 1000 users, $2 per user per month = $24,000 a year which isn't bad for the cost of a fully managed, resilient PKI SCEP infrastructure.
- But 30,000 users at $2 per user per month = $720,000 a year - at that price point we could fund the cost of hardware, hosting and staff to support our own PKI infrastructure a few times over.
I know it can also be licensed within the wider Intune Suite but even with that the lack of tiered discount for larger volumes significantly exceeds the cost at which all the components become cheaper to do it / manage it ourselves.
Are Microsoft intending to review their pricing structure at all to make for a more compelling large Enterprise offer for individual components or the entire suite?
- Joe_Lurie Microsoft has a pricing issue here. PKI has been a missing feature of cloud hosted solutions. It's being sold as a new feature, but in reality it is the missing keystone that will either encourage people to adopt cloud infrastructure of keep them from it. There is a shift back to the local office for many services, especially those around deve a CI/CD as a cost reduction, and the numbers are showing orders of magnitude savings. So at the same time MS is recording record breaking profits, they are also choosing to predicate the client base by placing premium pricing on a missing core feature. The end result of this gaffe in judgement, will be very slow adoption of PKI and loss of clients at scale. I recommend you talk to your team, as everyone I talk to sees the pricing here as laughably high, and agrees that this is a missing feature, not an upgrade. I won't use MS PKI at all, unless included. We pay enough, profits are breaking records, this is just greed. Do better.
- I am very curious to see how this is delivered. PKI that is easily accessible for on prem usages, like WiFi auth, may be the largest pain point keeping companies from going to 100% cloud hosted O365 AD and Domain services. However, the cost and features offered will be the keystone points of value here. If this was built with a focus on delivering the missing tools and features, it could be amazingly good. If it's being built as a new way to charge and upsell, it'll be another disappointing "profit first" product. Corporations have lost sight of a key factor recently. Profits, are the result of a good product and offering. Currently, profit is the only item truly valued. Boards and stakeholders demand the profit margins move ever to the right, despite record breaking profits being reported. The result of this is a tired and predicated client base and inferior products being released with a focus on what they can charge, and not what value it offers.
You're so right. I honestly think on-prem wifi auth is the single biggest reason that orgs are staying hybrid. Incredibly, MS customers have been asking for a solution in this space for https://feedback.azure.com/d365community/idea/801d1ff9-b425-ec11-b6e6-000d3a4f0789! I have been https://chrisbt.me/posts/nps-radius-aadj-2/ to keep my on-prem infrastructure running with my cloud-joined devices but it's too complicated and this demands a simple answer. Sadly I'm not sure this is it - why did Microsoft call out the lack of support for on-prem wifi with cloud-joined devices and then only provide half a solution? PKI is great but it won't actually authenticate devices or users. I'm also keen to see the specifics of the suggested wifi integration since I have successfully deployed my own Azure-hosted PKI with https://www.scepman.com and there's a chicken & egg problem with certificate deployment that nobody at Microsoft has been able to give me an answer to.
It's part of the "Intune Suite" add-on, so I think you can draw your own conclusion. 🙂
- Looking forward. Hope MS Cloud PKI will provide strong certificates that contain the non-critical extension with Object Identifier (OID) (1.3.6.1.4.1.311.25.2)
Bill CaleroMicrosoft
Hi Cristian, we are working thru scenario ... If you are referring to the issue where a windows domain joined machine, requires the SID in the cert properties, we are working thru this ... I dont have all the details ATM, but will follow up later.- Bill CaleroFYI, Windows moved enforcement of this OID out to 2025.
- Will it be available for GCC and will it be in preview first?
- Joe_Lurie
KalimanneJ It will be available in GCC after General Availability, not at GA. But we do have plans to make it available in GCC shortly after GA.
- Looking forward to this session. Especially the "Microsoft Cloud PKI will handle all aspects of the certificate lifecycle for Intune managed devices. Adhering to PKI industry standards, simple to setup and manage." part
