Does Azure Have a Cloud PKI?
Keytos Team |
- Updated: April 21, 2026Does Azure Have a Cloud Certificate Authority for Private Certificates?
Azure has a cloud certificate authority option through Microsoft Cloud PKI for Intune, which Microsoft launched in February 2024. It is a cloud-based Certificate Authority that can be used to issue SCEP certificates to Intune managed devices. While companies like Google and AWS have both delivered functional PKIs for their users, focusing on the PKI needs for the cloud such as server certificates, IoT device integration, machine to machine authentication, and ACME, Microsoft’s Cloud PKI is only focused on Intune and is managed by the Intune team, meaning that there are no plans for expansion and other integrations. If your security needs require a PKI that expands more than Intune devices, you will have had to rely on 3rd party PKI tools to ensure data security in the cloud.
What are the Problems with Microsoft’s Cloud PKI?
You’re probably wondering, “What the heck is the problem with announcing a new solution?” Generally speaking, new product announcements are met with great enthusiasm. But when your clients are expecting one thing, and you SERIOUSLY underdeliver, you’re going to hear about it. Here’s a quick peek at what it doesn’t support…
SCEP for Non Intune MDMs: It’s been more than a year since u/SecurityRabbit had this to say in r/AZURE
“Would be nice if they would offer a SCEP service that actually works instead of having to try to use some add-on like SCEPman which is financially unworkable.”
…I hate to be the bearer of bad news, but it is not included.
OCSP: Unlike more traditional methods like CRLs, OCSP was designed specifically for retrieving the revocation status of individual certificates, making it much more efficient, and consequently, more popular, than its traditional counterpart. Unfortunately, it is not included in Microsoft’s new Cloud PKI, making it uncompatible with most radius and network authentication appliances.
SmartCard Certificates: Smartcards have been one of the most widely used authentication methods associated passwordless and phishing resistant credentials for quite some time now. Microsoft themselves added Azure CBA support last year. However, this new PKI can only issue certificates for single factor authentication and does not accommodate the more secure version of smartcards, or YubiKeys.
ACME: Long story short, having ACME support in a private CA is an absolute must in this day and age.
Key Vault Certificate Rotation: Azure Key Vault allows you to securely manage your certificates, services, and even pushes them to your Azure VMs. AKV has supported Automated certificate rotation for DigiCert for over 5 years, and adding a similar functionality for private certificates would make this new cloud offering a great option. But it’s not.
IoT Hub Integration: Outside of Intune, the biggest use case for certificates is in Azure IoT Hub.
As you can see, the only thing that Microsoft’s Cloud PKI does is issue certificates through Intune SCEP. It’s a good start, but it’s not enough for the needs of the modern enterprises, many of which run already run up to 9 different CA’s from different providers. Now, you’re probably wondering, “What’s the best alternative to Azure PKI?”
What’s the Best Alternative to Azure PKI?
Considering the obvious shortcomings, Engineers have continued to search for the best alternatives to Microsoft’s Cloud PKI. Without question, EZCA by Keytos is the clear frontrunner. Not only is it the most intuitive and robust solution, it is simultaneously the least expensive. EZCA is the first and only Azure-native CA, and was built by ex-Microsoft PKI Engineers, specifically for other PKI Engineers. For this reason, it has become the go-to solution for organizations across the globe. There’s even an EU-specific EZCA that helps our friends across the pond adhere to their unique compliance and regulatory guidelines.
EZCA has also become the de-facto Cloud PKI for the IoT community due to our outstanding documentation that covers everything from the basics of IoT security best practices, to setting up CBA in Azure IoT Hub, to providing Azure IoT code samples and NuGet packages… we strive to make implementation as frictionless as possible. We know how much the Engineering community dislikes having to sit on sales discovery calls, so we’ve designed EZCA to be as DIY as possible by providing you with all the information you’ll need to get things up-and-running. That said, we’re always happy to chat, and pride ourselves on providing excellent customer service. Feel free to book time to talk to our Identity experts and get a FREE PKI evaluation!
