Public key infrastructure (PKI) is enormously complex, time consuming, and requires deep expertise. For many years, customers have been asking for a cloud-based PKI offering and in February 2024 we will answer that ask with Microsoft Cloud PKI, a key addition to the Microsoft Intune Suite.
Microsoft Cloud PKI helps organizations accelerate digital transformation by simplifying certificate management and moving it to the cloud. With Cloud PKI, you will no longer have to deploy, configure and manage on premises servers or procure hardware. You will be able to create multiple certification authorities and manage the lifecycle of certificates issued to Intune-managed devices. This means you can set up PKI infrastructure in minutes instead of weeks – and eliminate the need for lengthy planning, coordination, procurement and deployment. Our new solution will greatly simplify and automate certificate management.
At launch, Cloud PKI will be able to issue certificates across platforms, specifically Windows, iOS, macOS, and Android. The end-to-end solution provides a SaaS-based certificate registration authority, doing away with the complexities and cost of traditional on-premises services like Network Device Enrollment Service (NDES) and reverse proxies, making these additional infrastructure components a thing of the past.
Cloud PKI manages the full lifecycle of issued certificates for managed devices. For example, it can perform automatic renewals when expirations near and expire certificates no longer in use. You’ll also be able to revoke certificates when devices are wiped, deleted, or removed from Intune. When appropriate, Cloud PKI will also provide an Intune certificate administrator with the ability to manually revoke a certificate, if needed based on security concerns or alerts from other security frameworks.
Issued certificates from Cloud PKI can be used for certificate-based authentication (CBA) use cases, such as accessing Wi-Fi networks, VPNs, Windows Hello for Business, and even Microsoft 365 apps. CBA provides a much more secure authentication method over passwords, improving an organization’s overall security posture.
Cloud PKI provides a single pane of glass from the cloud for certification authorities, registration authorities, revocation distribution lists, monitoring, and reporting. Dashboards and detailed views of certificate renewals, revocations, expiration work together to provide agility, cost efficiency, and security. With Cloud PKI, you can manage your certificates where you manage your endpoints, all while saving time and money by bringing your PKI infrastructure to the cloud.
Simplifying your PKI infrastructure
Cloud PKI provides a simple interface for creating Certification Authorities, removing all the complexities while providing the richness of a hosted and managed service adhering to industry best practices and standards.
Simple configuration settings in the Intune admin center, all adhering to industry standards for Certification Authority creation.
The properties of a Cloud PKI Issuing CA contain everything required to start issuing certificates:
A SCEP URI, which is the the registration authority URI that will be used for creating Intune SCEP certificate profiles to issue certificates for managed devices.
The CRL distribution point, which contains the certificate revocation list for each issuing CA in the cloud.
A "Download" button for CA public keys used to create Intune Trusted certificate profiles and deploying to relying parties like Wi-Fi, VPN and applications supporting certificate-based authentication.
Issuing certificate properties in the Intune admin center are shown, with a SCEP URI copy & paste button, CRL distribution list URI, and the ability to download the certificate if desired
Monitor Cloud PKI
Dashboards for Cloud PKI provide essential summary details for issuing certification authority usage.
Issued leaf certificate status summary in the Intune admin center showing how many active, expired, and revoked certificates are currently in use
With Cloud PKI, you can easily view all certificates issued per certification authority. You can improve troubleshooting with search and filters to find certificates quickly.
Closer view of the properties for a leaf certificate in the Intune admin center showing the subject name, issuer, thumbprint, serial number, and other details. A revoke option is shown at the top.
Learn more about Microsoft Cloud PKI
In February 2024, Microsoft Cloud PKI will be available as part of the Microsoft Intune Suite. For added flexibility, this new solution will also be available as an individual add-on to Microsoft subscriptions that include Intune starting on March 1, 2024 for both enterprise and government customers. The US dollar list price for Cloud PKI as a standalone add-on will be $2 per user per month. Global and Billing administrators can use the centralized experience (Intune add-ons) in the Intune admin center to easily access trial licenses (up to 250 users for 90 days) and licenses to purchase.
Although available as a separate add-on to try or buy, we expect most organizations will realize the greatest value with the adoption of the entire Intune Suite. The list price for the Intune Suite will remain at $10 per user per month. Be sure to connect with your Microsoft account team to explore the option that is best for you and your business needs.