Integrating with Microsoft Intune¶

Integrate Zero Touch PKI with Microsoft Intune to deliver certificates to Intune-managed devices via Simple Certificate Enrollment Protocol (SCEP).

During integration, you create a Zero Touch PKI application in Microsoft Entra ID (formerly Azure Active Directory) and then add SCEP profiles in Intune, which deliver certificates sent by the SCEP endpoint on your Zero Touch PKI instance.

Prerequisites¶

• In Microsoft Entra, permissions to register applications.
• A Microsoft Intune deployment. See Set up Microsoft Intune.
• Knowledge of which Intune-supported platforms need certificates.
• In Microsoft Intune, permissions to upload a root CA certificate and add SCEP profiles.
• Access to a secure file-sharing service such as 1ty.me.

Step 1: Register an application in Microsoft Entra ID¶

In Microsoft Entra ID, complete the steps in the official Microsoft documentation to register an application. Registration enables Zero Touch PKI's SCEP server to communicate securely with Intune and to validate SCEP challenges.

When registering an application, do the following:

1. Create a Microsoft Entra ID application: In your tenant, create and register an application with a descriptive user-facing name. Leave the Redirect URI as Web and do not enter a sign-on URL for the third-party SCEP server.

   About the sign-on URL

   This integration uses app-to-app authentication between Microsoft Intune and Zero Touch PKI, so no sign-on URL is required. You'll enter a SCEP server URL in the next step.

2. Save the client ID: On the application's Overview page, copy and save the unique Application (client) ID.

3. Add a client secret: Add and save a client secret, noting its expiration, which is required by Microsoft.

   Updating secrets

   After Intune is implemented, to avoid service interruptions, replace expiring secrets by securely sending replacements to CyberArk Support at least seven days before expiration.

4. Save the Tenant ID: Save the Tenant ID, which follows the @ symbol in your account (for example, in admin@name.yourorganization.com, use name.yourorganization.com).

5. Set API permissions: In Microsoft Graph, set the following permissions for app registration, as described in the Microsoft Graph documentation:

   • scep_challenge_provider: Intune permission allowing a third-party SCEP server to validate certificate challenges.

   • Application.Read.All: Microsoft Graph permission to read all application registrations and service principals.

   Azure AD Graph deprecation

   Permissions were formerly configured in Azure AD Graph, the legacy API for Azure Active Directory. You must now set these permissions in Microsoft Graph.

6. Send credentials to CyberArk: Send the following to ztpki-onboarding@cyberark.com through a secure file-sharing service:

   • Application (client) ID: Unique client ID of your Entra ID application.
   • Client secret: Client secret for your application, sent securely.
   • Tenant ID: Unique ID of your Microsoft Entra tenant.
   • Email address or distribution list: Administrator or distribution list email used as the owner of the API service account for your integration.

   CyberArk configures your SCEP server. We create certificate policies tied to an Intune-specific organization and provision a Service Requestor account, Intune Requestor. We then send you the following:

   • Root CA certificate: Public certificate for your Zero Touch PKI root CA.
   • SCEP server URL: SCEP endpoint to which Intune sends CSRs and challenge data.

Step 2: Create SCEP profiles in Microsoft Intune¶

In the Microsoft Intune admin center, create SCEP profiles that deliver certificates to users and devices.

Complete the following steps:

1. Upload the private root CA certificate: In Microsoft Intune, once for each operating system, upload the Zero Touch PKI root CA certificate. See Trusted root certificate profiles for Microsoft Intune.

2. Create SCEP profiles: In Microsoft Intune, add SCEP profiles for users and/or devices. Supply the Zero Touch PKI SCEP server URL. See Create a SCEP certificate profile.

   About SCEP server URLs

   An example SCEP server URL is https://ztpki.eu.venafi.com/aec7e9f0-3d01-4d81-974d-be31ea1cbc95/pkiclient.exe.

   This URL matches your instance's base domain and varies by region (in this case, eu for Europe). It also contains a unique identifier that routes the request to the correct policy.

   SCEP URLs for Windows profiles

   For Windows profiles, omit /pkiclient.exe from the SCEP server URL.

   Your Microsoft Intune integration is now complete and ready to be tested.

Related links¶

• About the Microsoft Intune Connector
• Set up Microsoft Intune
• Add partner certification authority in Intune using SCEP
• Configure Azure AD Graph permissions for an app registration
• Trusted root certificate profiles for Microsoft Intune
• Create a SCEP certificate profile