Microsoft Cloud PKI launches as a new addition to the Microsoft Intune Suite
Published Nov 15 2023 08:00 AM 95.7K Views

Public key infrastructure (PKI) is enormously complex, time consuming, and requires deep expertise. For many years, customers have been asking for a cloud-based PKI offering and in February 2024 we will answer that ask with Microsoft Cloud PKI, a key addition to the Microsoft Intune Suite.

Microsoft Cloud PKI helps organizations accelerate digital transformation by simplifying certificate management and moving it to the cloud. With Cloud PKI, you will no longer have to deploy, configure and manage on premises servers or procure hardware. You will be able to create multiple certification authorities and manage the lifecycle of certificates issued to Intune-managed devices. This means you can set up PKI infrastructure in minutes instead of weeks – and eliminate the need for lengthy planning, coordination, procurement and deployment. Our new solution will greatly simplify and automate certificate management.

At launch, Cloud PKI will be able to issue certificates across platforms, specifically Windows, iOS, macOS, and Android. The end-to-end solution provides a SaaS-based certificate registration authority, doing away with the complexities and cost of traditional on-premises services like Network Device Enrollment Service (NDES) and reverse proxies, making these additional infrastructure components a thing of the past.

Cloud PKI manages the full lifecycle of issued certificates for managed devices. For example, it can perform automatic renewals when expirations near and expire certificates no longer in use. You’ll also be able to revoke certificates when devices are wiped, deleted, or removed from Intune. When appropriate, Cloud PKI will also provide an Intune certificate administrator with the ability to manually revoke a certificate, if needed based on security concerns or alerts from other security frameworks.

Issued certificates from Cloud PKI can be used for certificate-based authentication (CBA) use cases, such as accessing Wi-Fi networks, VPNs, Windows Hello for Business, and even Microsoft 365 apps. CBA provides a much more secure authentication method over passwords, improving an organization’s overall security posture.

Cloud PKI provides a single pane of glass from the cloud for certification authorities, registration authorities, revocation distribution lists, monitoring, and reporting. Dashboards and detailed views of certificate renewals, revocations, expiration work together to provide agility, cost efficiency, and security. With Cloud PKI, you can manage your certificates where you manage your endpoints, all while saving time and money by bringing your PKI infrastructure to the cloud.

Simplifying your PKI infrastructure

Cloud PKI provides a simple interface for creating Certification Authorities, removing all the complexities while providing the richness of a hosted and managed service adhering to industry best practices and standards.

Simple configuration settings in the Intune admin center, all adhering to industry standards for Certification Authority creation.Simple configuration settings in the Intune admin center, all adhering to industry standards for Certification Authority creation.

The properties of a Cloud PKI Issuing CA contain everything required to start issuing certificates:

  • A SCEP URI, which is the the registration authority URI that will be used for creating Intune SCEP certificate profiles to issue certificates for managed devices.
  • The CRL distribution point, which contains the certificate revocation list for each issuing CA in the cloud.
  • A "Download" button for CA public keys used to create Intune Trusted certificate profiles and deploying to relying parties like Wi-Fi, VPN and applications supporting certificate-based authentication.

Issuing certificate properties in the Intune admin center are shown, with a SCEP URI copy & paste button, CRL distribution list URI, and  the ability to download the certificate if desiredIssuing certificate properties in the Intune admin center are shown, with a SCEP URI copy & paste button, CRL distribution list URI, and the ability to download the certificate if desired

Monitor Cloud PKI

Dashboards for Cloud PKI provide essential summary details for issuing certification authority usage.

Issued leaf certificate status summary in the Intune admin center showing how many active, expired, and revoked certificates are currently in useIssued leaf certificate status summary in the Intune admin center showing how many active, expired, and revoked certificates are currently in use

With Cloud PKI, you can easily view all certificates issued per certification authority. You can improve troubleshooting with search and filters to find certificates quickly.

Closer view of the properties for a leaf certificate in the Intune admin center showing the subject name, issuer, thumbprint, serial number, and other details. A revoke option is shown at the top.Closer view of the properties for a leaf certificate in the Intune admin center showing the subject name, issuer, thumbprint, serial number, and other details. A revoke option is shown at the top.

Learn more about Microsoft Cloud PKI

In February 2024, Microsoft Cloud PKI will be available as part of the Microsoft Intune Suite. For added flexibility, this new solution will also be available as an individual add-on to Microsoft subscriptions that include Intune starting on March 1, 2024 for both enterprise and government customers. The US dollar list price for Cloud PKI as a standalone add-on will be $2 per user per month. Global and Billing administrators can use the centralized experience (Intune add-ons) in the Intune admin center to easily access trial licenses (up to 250 users for 90 days) and licenses to purchase.

Although available as a separate add-on to try or buy, we expect most organizations will realize the greatest value with the adoption of the entire Intune Suite. The list price for the Intune Suite will remain at $10 per user per month. Be sure to connect with your Microsoft account team to explore the option that is best for you and your business needs.

Catch up on all Intune news at Microsoft Ignite and take advantage of the opportunity to explore Intune capabilities and use cases. Then join the Microsoft Technical Takeoff, November 27-30 (Digital) for closer look at the latest features, capabilities, and scenarios with technical deep dives plus live Ask Microsoft Anything (AMA) sessions delivered by the engineering teams building the future of Microsoft Intune. Check out the full session catalog and make sure to RSVP for Coming to the Microsoft Intune Suite - Microsoft Cloud PKI! to see the capabilities here in action!


Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.

32 Comments
Version history
Last update:
‎Nov 15 2023 06:26 AM
Updated by: