Skip to main content

Set up the Intune connector

To enable SCEP integration with Microsoft Intune, you must set up an Intune connector in DigiCert​​®​​ Trust Lifecycle Manager. The connector facilitates the authentication process when an Intune-managed system or user requests a certificate from DigiCert via SCEP.

Before you begin

Set up Azure application

These steps are always required. You need an Azure application with the required permissions for Trust Lifecycle Manager to access Intune.

To register a new Azure application for Intune access:

  1. In the Azure portal, search for or select Azure Active Directory from any page.

  2. Select App registrations, then select New registration.

  3. Enter a Name for the application and select Register.

  4. Copy and save the Application (client) ID value for the new application.

To create a new client secret for accessing your Azure application:

  1. On the Azure portal page for your registered application, select Certificates & secrets from the left-side navigation panel.

  2. In the Client secrets tab, select the link to add a New client secret.

  3. Enter a Description and select an expiration date for the new client secret, then select Add.

  4. Copy and save the Value for the new client secret.

Belangrijk

The client secret value cannot be viewed again once this view is closed. If you lose this value, you must create a new client secret. A new client secret will need to be created prior to expiration and updated in the Intune connector in Trust Lifecycle Manager to avoid service interruption.

To assign the required permissions that Trust Lifecycle Manager needs to access your Intune tenant via Azure:

  1. On the Azure portal page for your registered application, select API permissions from the left-side navigation panel.

  2. Under Configured permissions, select the link to Add a permission.

  3. In the Request API permissions menu, select Microsoft Graph.

  4. Expand the Application permissions, enable the following permissions, and select the Add permissions button to add them.

    To use the connector to request Intune user and device authentication certificates via SCEP, select the following permission:

    • Application.Read.All

  5. To use the connector to request Intune user and device authentication certificates via SCEP, follow these steps to add another required permission:

    1. On the API permissions page for the registered application, select the link to Add a permission again.

    2. In the Request API permissions menu, select Intune.

    3. Enable the following permission under Permissions and select the Add permissions button to add it.

      • scep_challenge_provider

  6. Back on the main API permissions page for the registered application, select the option to Grant admin consent for your Intune tenant name (to the right of the Add a permission link).

Required integration parameters

After completing the above steps, make sure you have the following information available to use when configuring the Intune connector in Trust Lifecycle Manager:

  • Tenant name for the Intune instance.

  • Application (client) ID for the registered Azure application used to access the above Intune tenant.

  • Client secret value for remotely accessing the above Azure application.

Add the connector

After preparing your Intune environment, follow these steps to add the Intune connector in Trust Lifecycle Manager:

Belangrijk

For the Intune SCEP integration, you do not need to make any selections in the User Principal Name (UPN) or Public keys for PFX file encryption sections of the connector configuration. Leave these settings set to their default values.

What's next

With the Microsoft Intune connector in place, you are ready to configure the required certificate profiles for the integration.