Does Microsoft Have a Cloud PKI?
Keytos Team |
- Updated: April 21, 2026Does Microsoft Have a Cloud PKI Solution?
Yes, Microsoft does have a cloud PKI solution. Launched in February 2024 as part of the Intune Suite, Microsoft Cloud PKI is a cloud-based certificate authority designed to handle Intune device and user certificate lifecycle for Intune-managed devices. No on-premises servers, no certificate connectors, no firewall configuration: just a straightforward setup that gets you issuing certificates in minutes.
On paper, that sounds great. And for organizations whose PKI needs begin and end with Intune, it genuinely is a solid option. But if you have a more complex environment such as a hybrid environment with on-premises infrastructure, or if you need to issue certificates for use cases beyond Intune device authentication, Microsoft Cloud PKI falls short. It lacks support for critical features like server certificates, ACME, smartcard certificates, and Azure IoT Hub integration. This is why many Reddit users recommend using EZCA as a more complete cloud PKI solution for Azure.
What Did the Security Community Think of Microsoft Cloud PKI?
Security engineers had been waiting a long time for Microsoft to release a native cloud PKI. It’s a foundational piece of enterprise infrastructure, and the fact that it took this long to arrive had many people relying on third-party PKI tools to fill the gap. So when Microsoft finally made the announcement, expectations were high.
The reaction was… mixed. Security professionals are a practical crowd; they’re not easily impressed by press releases, and they immediately started digging into the details. Within days, the comments sections on every major forum were filled with pointed questions about what the product actually supports. The consensus? Microsoft Cloud PKI was a good start, but it leaves a lot on the table.
What Are the Limitations of Microsoft Cloud PKI?
Here is a look at the most common gaps that organizations run into with Microsoft’s cloud PKI:
Azure IoT Hub Integration: After Intune, one of the biggest use cases for certificates in Azure is IoT device authentication. Millions of certificates are issued daily for Azure IoT Hub, and a private CA that natively supports IoT would unlock significant value across services like Azure Data Lake and IoT Central. Microsoft Cloud PKI does not support this scenario.
Non-Intune SCEP: Microsoft Cloud PKI only issues certificates through Intune SCEP. That means devices not managed by Intune, including network devices, Macs managed by Jamf Pro, and Chromebooks managed by Google Workspace, are out of scope entirely. Organizations that have already built SCEP integrations with tools like ManageEngine will find no equivalent support here. This has been a concern in the Azure community for years.
OCSP Support: The Online Certificate Status Protocol (OCSP) is the modern standard for checking whether a certificate has been revoked. Compared to CRLs, OCSP is faster, more efficient, and designed for scale. Microsoft Cloud PKI does not include OCSP support.
Smartcard Certificates: Smartcards are one of the most widely used phishing-resistant authentication methods in enterprise security for decades. Microsoft itself added Azure Certificate-Based Authentication (CBA) support not long ago. Yet Microsoft Cloud PKI does not support issuing smartcard certificates. That is a notable gap for any organization with a strong authentication posture.
ACME Protocol: ACME (Automated Certificate Management Environment) is the standard protocol for automating the issuance and renewal of SSL/TLS certificates on web servers. Having ACME support in a private CA is essentially table stakes in 2024. Microsoft Cloud PKI does not support it.
Azure Key Vault Certificate Rotation: Azure Key Vault has supported automated certificate rotation for DigiCert for over five years. Extending that capability to privately issued certificates would make Microsoft Cloud PKI far more useful for teams managing internal workloads. That feature is not on the roadmap.
What Is the Best Microsoft Cloud PKI Alternative?
If your organization needs a cloud PKI that goes beyond Intune devices, the good news is that a more complete solution exists, and it was built by the people who know Microsoft’s infrastructure best.
EZCA by Keytos is an Azure-native cloud certificate authority created by former Microsoft PKI engineers. Having spent years building and supporting PKI at Microsoft scale, the Keytos team knew exactly what was missing and built it. EZCA was the first Azure Native CA on the market, and it supports all the scenarios Microsoft Cloud PKI does not: SCEP for non-Intune devices, OCSP, ACME, smartcard certificates, Azure IoT Hub integration, and Azure Key Vault certificate rotation.
For organizations that need a cloud PKI that works across their entire environment, not just their Intune fleet, EZCA is the natural choice. Take a look at how easy it is to get started:
