Configure Microsoft Intune for Connector for SCEP
You can use Amazon Private CA as an external certificate authority (CA) with the Microsoft Intune mobile device management (MDM) system. This guide provides instructions on how to configure Microsoft Intune after you create a Connector for SCEP for Microsoft Intune.
Prerequisites
Before you create a Connector for SCEP for Microsoft Intune, you must complete the following prerequisites.
Create an Entra ID.
Create a Microsoft Intune Tenant.
Create an App Registration in your Microsoft Entra ID. See Update an app's requested permissions in Microsoft Entra ID
in the Microsoft Entra documentation for information about how to manage application-level permissions for your App Registration. The App Registration must have the following permissions: Under Intune set scep_challenge_provider.
For Microsoft Graph set Application.Read.All and User.Read.
You must grant the application in your App Registration admin consent. For information, see Grant tenant-wide admin consent to an application
in the Microsoft Entra documentation. Tip
When you create the App Registration, take note of the Application (client) ID and Directory (tenant) ID or primary domain. When you create your Connector for SCEP for Microsoft Intune, you'll enter these values. For information about how to get these values, see Create a Microsoft Entra application and service principal that can access resources
in the Microsoft Entra documentation.
Step 1: Grant Amazon Private CA permission to use your Microsoft Entra ID Application
After you create a Connector for SCEP for Microsoft Intune, you must create a federated credential under the Microsoft App Registration so that Connector for SCEP can communicate with Microsoft Intune.
To configure Amazon Private CA as an external CA in Microsoft Intune
In the Microsoft Entra ID console, navigate to the App registrations.
Choose the application that you created to use with Connector for SCEP. The application (client) ID of the application you click must match the ID you specified when you created the connector.
Select Certificates & secrets from the Managed drop-down menu.
Select the Federated credentials tab.
Select Add a credential.
From the Federated credential scenario drop down menu, choose Other issuer.
Copy and paste the OpenID issuer value from your Connector for SCEP for Microsoft Intune details into the Issuer field. To view a connector's details, choose the connector from the Connectors for SCEP
list in the Amazon console. Alternatively, you can get the URL by calling GetConnector and then copy the Issuer
value from the response.Copy and paste the OpenID Audience value from your Connector for SCEP for Microsoft Intune details into the Audience field. To view a connector's details, choose the connector from the Connectors for SCEP
list in the Amazon console. Alternatively, you can get the URL by calling GetConnector and then copy the Subject
value from the response.(Optional) Enter the name of the instance in the Name field. For example, you can name it Amazon Private CA.
(Optional) Enter a description into the Description field.
Select Edit (optional) under the Audience field. Copy and paste OpenID subject value from your connector into the Subject field. You can view the OpenID issuer value in the connector details page in the Amazon console. Alternatively, you can get the URL by calling GetConnector and then copy the
Audience
value from the response.Select Add.
Step 2: Set up a Microsoft Intune configuration profile
After you give Amazon Private CA the permission to call Microsoft Intune, you must use Microsoft Intune to create a Microsoft Intune configuration profile that instructs devices to reach out to Connector for SCEP for certificate issuance.
Create a trusted certificate configuration profile. You must upload the root CA certificate of the chain that you're using with Connector for SCEP into Microsoft Intune to establish trust. For information on how to create a trusted certificate configuration profile, see Trusted root certificate profiles for Microsoft Intune
in the Microsoft Intune documentation. Create a SCEP certificate configuration profile that points your devices to the connector when they require a new certificate. The configuration profile's Profile type should be SCEP Certificate. For the configuration profile's root certificate, make sure that you use the trusted certificate that you created in the previous step.
For SCEP Server URLs, copy and paste the Public SCEP URL from your connector's details into the SCEP Server URLs field. To view a connector's details, choose the connector from the Connectors for SCEP
list. Alternatively, you can get the URL by calling ListConnectors, and then copy the Endpoint
value from the response. For guidance on creating configuration profiles in Microsoft Intune, see Create and assign SCEP certificate profiles in Microsoft Intunein the Microsoft Intune documentation. Note
For non-mac OS and iOS devices, if you don't set a validity period in the configuration profile, Connector for SCEP issues a certificate with a validity of one year. If you don't set an Extended Key Usage (EKU) value in the configuration profile, Connector for SCEP issues a certificate with the EKU set with
Client Authentication (Object Identifier: 1.3.6.1.5.5.7.3.2)
. For macOS or iOS devices, Microsoft Intune doesn't respectExtendedKeyUsage
orValidity
parameters in your configuration profiles. For these devices, Connector for SCEP issues a certificate with a one-year validity period to these devices through client authentication.
Step 3: Verify the connection to Connector for SCEP
After you've created a Microsoft Intune configuration profile that points to the Connector for SCEP endpoint, confirm
that an enrolled device can request a certificate. To confirm, make sure that there
aren't any policy assignment failures. To confirm, in the Intune portal navigate to
Devices > Manage Devices >
Configuration and verify that there's nothing listed under
Configuration Policy Assignment Failures. If there is,
confirm your set up with the information from the preceding procedures. If your set
up is correct and there still are failures, then consult Collect available data from mobile device
For information about device enrollment, see What is device enrollment?