About the Microsoft Intune connector¶

The Microsoft Intune connector works with Zero Touch PKI to automatically request, install, and renew device and user certificates Intune-supported platforms.

Using a Microsoft Entra ID application, the connector authenticates to Zero Touch PKI, exchanges certificate enrollment data via Simple Certificate Enrollment Protocol (SCEP), and delivers certificates based on Microsoft Intune SCEP certificate profiles.

How the connector works¶

This sequence describes the certificate delivery flow:

1. A device checks in to Microsoft Intune.
2. Intune creates a SCEP challenge including integrity check information such as the expected subject alternative name (SAN).
3. Intune encrypts and signs the challenge and integrity check and sends these to the device.
4. The device generates a public/private key pair and certificate signing request (CSR) based on the appropriate certificate profile.
5. Intune sends the device's CSR and encrypted/signed challenge to the Zero Touch PKI SCEP endpoint.
6. Zero Touch PKI returns the CSR and challenge to Intune.
7. Intune validates the signature, decrypts the payload, and compares the CSR to the integrity check.
8. Intune sends a response to Zero Touch PKI that states if challenge validation is successful.
9. On successful validation, Zero Touch PKI combines the information in the CSR with its own issuance policy. It then produces a certificate and delivers it to the device.

For details about this flow, see Add partner certification authority in Intune using SCEP in the Microsoft Intune documentation.

Next steps¶

To learn how to integrate the Intune connector with Zero Touch PKI, see Integrating Microsoft Intune.

Related links¶

• Integrating Microsoft Intune
• Add partner certification authority in Intune using SCEP