Skip to main content

Microsoft Intune

Link to a Microsoft Intune tenant to issue certificates from DigiCert​​®​​ Trust Lifecycle Manager and deliver them to the Intune unified endpoint management (UEM) platform for distribution to users and devices.

The connector supports the following use cases:

  • Issue Intune user and device authentication certificates from Trust Lifecycle Manager via its Simple Certificate Enrollment Protocol (SCEP) service. The connector facilitates the authentication process when an Intune user or device requests a new authentication certificate via SCEP.

  • Issue S/MIME certificates from Trust Lifecycle Manager and deliver them to Intune. The connector supports delivery of a single escrowed S/MIME certificate to multiple user devices so the user can decrypt emails on any of them.

Important

Prerequisites and configuration steps depend on how you will use the connector. Conditional steps are noted below. To support both of the above use cases, complete all the steps.

Prepare the Intune environment

Set up Azure application

These steps are always required. You need an Azure application with the required permissions for Trust Lifecycle Manager to access Intune.

To register a new Azure application for Intune access:

  1. In the Azure portal, search for or select Azure Active Directory from any page.

  2. Select App registrations, then select New registration.

  3. Enter a Name for the application and select Register.

  4. Copy and save the Application (client) ID value for the new application.

To create a new client secret for accessing your Azure application:

  1. On the Azure portal page for your registered application, select Certificates & secrets from the left-side navigation panel.

  2. In the Client secrets tab, select the link to add a New client secret.

  3. Enter a Description and select an expiration date for the new client secret, then select Add.

  4. Copy and save the Value for the new client secret.

Important

The client secret value cannot be viewed again once this view is closed. If you lose this value, you must create a new client secret. A new client secret will need to be created prior to expiration and updated in the Intune connector in Trust Lifecycle Manager to avoid service interruption.

To assign the required permissions that Trust Lifecycle Manager needs to access your Intune tenant via Azure:

  1. On the Azure portal page for your registered application, select API permissions from the left-side navigation panel.

  2. Under Configured permissions, select the link to Add a permission.

  3. In the Request API permissions menu, select Microsoft Graph.

  4. Expand the Application permissions, enable the following permissions, and select the Add permissions button to add them.

    To use the connector to request Intune user and device authentication certificates via SCEP, select the following permission:

    • Application.Read.All

    To use the connector to deliver S/MIME certificates to Intune, select the following permissions:

    • Application.Read.All

    • DeviceManagementConfiguration.Read.All

    • DeviceManagementConfiguration.ReadWrite.All

    • Directory.Read.All

    • Directory.ReadWrite.All

    • User.Read.All

    • User.ReadBasic.All

    • User.ReadWrite.All

  5. To use the connector to request Intune user and device authentication certificates via SCEP, follow these steps to add another required permission:

    1. On the API permissions page for the registered application, select the link to Add a permission again.

    2. In the Request API permissions menu, select Intune.

    3. Enable the following permission under Permissions and select the Add permissions button to add it.

      • scep_challenge_provider

  6. Back on the main API permissions page for the registered application, select the option to Grant admin consent for your Intune tenant name (to the right of the Add a permission link).

Set up Intune certificate connector

These steps are only required if you will use the connector to deliver S/MIME certificates to Intune. You need a Windows server running the Intune certificate connector where you can generate a public/private keypair for secure delivery of PFX certificate files.

To install the Intune certificate connector on a Windows Server 2019 or Server 2022 system:

  1. In the Microsoft Intune admin center, select Tenant administration from the left-side navigation panel.

  2. On the main Tenant admin page, select the option for Connectors and tokens from the left-side submenu.

  3. On the Connectors and tokens page, select the option for Certificate connectors from the left-side submenu.

  4. Select the Add button, then select the link for certificate connector in the right-side panel to download the .exe installer file for the Intune certificate connector to your Windows server.

  5. Run the downloaded .exe file as an administrator on your Windows server and follow the instructions to install and configure the Intune certificate connector.

    • On the connector Features configuration screen, make sure to enable at least the PKCS and PKCS imported certificates options.

    • When prompted, sign into your Azure account using either Global Administrator or Intune Administrator credentials.

Notice

For more details about how to install and configure the Intune certificate connector, refer to the official Microsoft documentation.

Generate a keypair to use for PFX file encryption on the same Windows Server 2019 or Server 2022 system where you installed the Intune certificate connector:

  1. Use the following link to download the Intune PFX import utilities for PowerShell to the Windows server where you installed the Intune certificate connector.

    IntunePfxImportUtilities.zip

  2. Copy the downloaded Zip file to the primary disk drive on the Windows server (for example, the C: drive) and unpack it there.

  3. Open a PowerShell session as administrator on the Windows server and change into the folder with the unpacked Intune PFX import utilities (for example, C:\IntunePfxImportUtilities).

  4. Run the following command in the above folder to add the Intune PFX import utilities to your current PowerShell session:

    Import-Module .\IntunePfxImport.psd1
  5. Use the following command syntax to generate a new keypair for PFX file encryption. The -MakeExportable parameter is optional; if you omit it, the integration still works, but you cannot export the private key from the keypair.

    Add-IntuneKspKey -ProviderName "Microsoft Software Key Storage Provider" -KeyName "<keypair-name>" -MakeExportable 

    Provide a name for the new keypair in the <keypair-name> parameter. For example:

    Add-IntuneKspKey -ProviderName "Microsoft Software Key Storage Provider" -KeyName "my_encryption_key" -MakeExportable 

    Make note of the keypair name you use, as you will need to know it when exporting the public key and configuring the connector in Trust Lifecycle Manager.

  6. Use the following command syntax to export the public key from the keypair you created, saving it to the file path you specify:

    Export-IntunePublicKey -ProviderName "Microsoft Software Key Storage Provider" -KeyName "<keypair-name>" -FilePath <file-path> -FileFormat pem

    For example:

    Export-IntunePublicKey -ProviderName "Microsoft Software Key Storage Provider" -KeyName "my_encryption_key" -FilePath C:\Release\my_encryption_key.pem -FileFormat pem

    Keep the exported public key file handy, as you will need to upload it when configuring the connector in Trust Lifecycle Manager.

  7. (Optional) If you included the -MakeExportable parameter in the keypair generation command, you can use the following command syntax to export the private key from the keypair and save it to the file path you specify:

    Export-IntunePrivateKey -ProviderName "Microsoft Software Key Storage Provider" -KeyName "<keypair-name>" -FilePath <file-path>

    For example:

    Export-IntunePrivateKey -ProviderName "Microsoft Software Key Storage Provider" -KeyName "my_encryption_key" -FilePath C:\Release\my_encryption_key.key

Required integration parameters

After completing the above steps, make sure you have the following information available to use when configuring the Intune connector in Trust Lifecycle Manager:

  • Tenant name for the Intune instance.

  • Application (client) ID for the registered Azure application used to access the above Intune tenant.

  • Client secret value for remotely accessing the above Azure application.

If you will use the connector to deliver S/MIME certificates to Intune, you also need the:

  • Keypair name for the encryption key generated on the Windows server running the Intune certificate connector.

  • Public key file exported from the above keypair on the Windows server.

Add the Microsoft Intune connector

After preparing your Intune environment, follow these steps to add the Intune connector in Trust Lifecycle Manager:

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Unified endpoint management section, select the tile for Microsoft Intune.

    Complete the form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

  5. In the Link account section, enter the Intune tenant access details:

    • Platform URL: Base URL for accessing the Intune tenant.

    • Client ID: Application (client) ID value for the Azure application used to access the Intune tenant.

    • Client secret: Client secret value for remotely accessing the above Azure application.

    • Tenant name: Name of the Intune tenant to link to.

  6. Configure the following sections if you will use the connector to deliver S/MIME certificates via Intune. You can safely ignore these sections if you will only use the connector to issue Intune authentication certificates via SCEP.

    1. In the User Principal Name (UPN) values section, select an option for how to determine the UPN values that Intune will use to distribute S/MIME certificates to the correct end users:

      • Certificate SAN RFC822 Name: Get the UPN value from the RFC822 Name (email) field in the SAN extension of each certificate.

      • Microsoft Intune API query: Get the UPN by querying the Intune API with the value of the RFC822 Name (email) field in the certificate.

    2. In the Public keys for PFX file encryption section, add public keys to use for encrypting PFX (PKCS#12) certificates for secure delivery to Intune.

      The public keys you add here must originate from a Windows server running the Intune certificate connector, as described in the Prepare the Intune environment section above.

      Select the Add public key link to open a sidebar where you can upload a new public encryption key that Trust Lifecycle Manager can use to deliver certificates to Intune. Fill out the sidebar as follows:

      • Keypair name: Enter the name of the keypair that the public key originated from on the Windows server. The name you enter must exactly match the keypair name on the Windows server so Intune can identify the corresponding private key for decrypting the certificates it receives.

      • Public key file: Upload the PEM-encoded public key file you exported from the above keypair on the Windows server.

      • Encrypt all certificates with this key: Select this option to make this the primary encryption key for the connector.

        Warning

        Only one public key at a time can be used to encrypt certificates for secure delivery to Intune. If you change the selected encryption key, Trust Lifecycle Manager will re-encrypt any existing certificates associated with the connector and redeliver them to Intune.

  7. Select Add to create the Intune connector with the configured settings.

Configure certificate profiles to use the Intune connector

To start using the Intune connector, add it to your certificate profile configurations in Trust Lifecycle Manager. Applicable base templates and configuration methods depend on the use case for the connector.

For this use case, create your certificate profiles in Trust Lifecycle Manager from one of the following base templates:

Template name

Seat type

Device Authentication for Microsoft Intune (SCEP)

Device

User Client Authentication for Microsoft Intune (SCEP)

User

In the profile configuration wizard, use the dropdown menu in the Primary options > Authentication method section to select the Intune connector for authenticating SCEP-based enrollment requests and delivering issued certificates to the Intune tenant.

For this use case, create your certificate profiles in Trust Lifecycle Manager from one of the following base templates:

Template name

Seat type

Private S/MIME Secure Email

User

Public S/MIME Secure Email (via CertCentral)

User

In the profile configuration wizard, make the following selections:

  • In the Primary options > Enrollment method section, select one of the supported enrollment methods: Browser PKCS12, DigiCert Trust Assistant, or REST API.

  • In the Certificate options > Flow options section, make the following selections to escrow and deliver S/MIME certificates to Intune for distribution to user devices:

    1. Under Key escrow options, select the DigiCert cloud key escrow option.

    2. Select the checkbox to Deliver certificates to Microsoft Intune.

    3. Use the dropdown menu to select the Micosoft Intune connector for the Intune tenant to deliver the S/MIME certificates to.

What's next

  • Additional configuration is required to start using SCEP to request Intune authentication certificates from a Trust Lifecycle Manager certificate profile. For details, see the Intune SCEP integration guide.

  • For S/MIME certificates issued from a profile configured to escrow and deliver certificates to Intune, Trust Lifecycle Manager runs an asynchronous job every 2 hours to deliver any new S/MIME certificates to the connected Intune tenant.