When Microsoft Cloud PKI for Intune was released last year, it was met with a wave of disappointment from many corners of the cybersecurity world, as it became evident that the solution’s compatibility with diverse systems and applications was not as extensive as hoped. One of the biggest complaints about Microsoft Cloud PKI was the pricing. In addition to your regular Office licenses (E3, E5, etc.), you need to pay an additional $10 per user per month for the Intune license that includes Intune Cloud PKI. This made the price inaccessible to most IT teams, and the larger your team, the harder it gets to justify. This decision made Microsoft Cloud PKI alternatives such as EZCA skyrocket in popularity, with multiple Reddit users recommending the flat $200 USD pricing over the expensive Intune Cloud PKI pricing model.
This year, Microsoft announced changes to their Intune pricing. While many users were excited to see that Intune Cloud PKI is now included in the E5 license, many were disappointed to see that they had to pay $50+ USD to get the “free PKI,” and the already expensive $37 USD-per-month E3 license still does not include Intune Cloud PKI.
If you have E5, then Intune Cloud PKI is definitely worth the cost, since it is already included. However, if you have E3 or lower licenses, then the question of whether Intune Cloud PKI is worth the cost is a bit more complex. If the additional cost you would have to pay for Intune Cloud PKI (usually $2 USD per user per month) is less than $200 USD, then Intune Cloud PKI is worth the cost, since it is the most affordable way to get certificates in the cloud. But if you go over the $200 USD threshold—or you need certificates for domain controllers or other MDMs such as Jamf Pro or ManageEngine—then managing your own NDES/SCEP or using a more modern solution such as EZCA makes more sense. (If you do the math, EZCA costs around the same as having your Windows servers in Azure, without the headache of managing ADCS.)
So, what’s everyone in the security community doing to work around these issues? Well, they’re doing what they’ve been doing for the past decade and relying on 3rd-party PKI tools like EZCA to fill the gaps at an exceptionally affordable price point. The team at Keytos, comprised predominantly of ex-Microsoft PKI engineers, built EZCA to do everything you’d expect the best Microsoft Cloud CA to do. Let’s take a look at some of the features and functionality offered within EZCA that simply aren’t possible with Intune Cloud PKI.
Non-Intune (Jamf, On-Premises) SCEP: Most notably, the announcement only talks about issuing certificates through Intune SCEP. The key omission here is that there is no indication that SCEP certificates that are not managed through Intune, such as network devices, will be supported. Not ideal. Luckily for you, EZCA is capable of managing non-Intune SCEP certificates.
Azure IoT Hub Integration: After Intune, the biggest use for certificates in Azure is Azure IoT Hub. Learn how millions of certificates are issued and used for authentication with our Azure IoT Hub CA.
OCSP: One of the most popular ways to monitor and manage certificates is the Online Certificate Status Protocol (OCSP). Unlike more traditional methods like CRLs, OCSP was designed specifically for retrieving the revocation status of individual certificates, making it much more efficient than its traditional counterpart. It’s just another core feature offered by EZCA that’s not available with Intune Cloud PKI.
Smartcard Certificate Distribution: It’s surprising that Microsoft failed to include support for smartcards in the offering. Smartcards have been one of the most widely used authentication methods associated with CBA for a long time. Microsoft added Azure CBA support last year; however, this is only for single-factor certificates. They do not support the more secure versions of smartcards or YubiKeys for that matter.
ACME: The Automated Certificate Management Environment, or ACME for short, is an exceptionally useful protocol designed to automate certificate issuance for web servers. Essentially, it allows for automated certificate deployment and renewal across web servers. The primary motivation behind leveraging ACME is to simplify the process of obtaining, renewing, and managing SSL/TLS certificates. Long story short, ACME has saved the security and engineering communities countless hours and headaches; having ACME support in a private CA is a must in this day and age.
Automated Certificate Rotation in Azure Key Vault: One of the best features in Azure is that Key Vault allows you to securely manage your certificates and even push them to VMs. Azure Key Vault has supported automated certificate rotation for DigiCert for over five years, and EZCA offers similar functionality for private certificates.
EZCA can be paired with EZRADIUS, the first cloud-based RADIUS server that integrates seamlessly with Azure AD and Intune. This solution is designed to provide secure and reliable network access control for organizations of all sizes. With EZRADIUS, you can easily manage user authentication and authorization, enforce security policies, and monitor network activity. Plus, EZRADIUS offers advanced features like certificate-based authentication with Intune compliance checks and dynamic VLAN assignment. If you’re looking for a comprehensive and cost-effective solution for network access control, EZRADIUS is an excellent choice.
While Microsoft’s Cloud PKI introduces a cloud-based solution for certificate management, its current configuration and feature set raise questions regarding its comprehensiveness and scalability—particularly in relation to server and IoT certificate management, OCSP support, smartcard integration, ACME protocol support, and Azure Key Vault integration.
EZCA by Keytos offers a unique blend of simplicity, security, affordability, and efficiency. It’s tailored specifically for modern security engineers who need a reliable, easy-to-use cloud PKI solution with robust functionality at a reasonable rate. Choose EZCA for a streamlined, secure, and user-friendly experience that stands unmatched in the market. We invite you to look through our PKI documentation, YouTube Channel and the suggested reading below to learn more about how EZCA can help secure your data! If you’d like to arrange some time to speak with our team of Identity Experts, please click on the previous link and select a time that is convenient for you!
Is Intune Cloud PKI free?
No. Intune Cloud PKI is not free. It’s included with certain Intune add-on plans and with Microsoft 365 E5, but organizations using E3 or lower plans must pay extra to get access to it.
Which Microsoft 365 or Intune plans include Intune Cloud PKI?
As of late 2025, Intune Cloud PKI is included with Microsoft 365 E5 and with some advanced Intune add-on SKUs. Customers on E3 and other lower-tier plans typically need to purchase an additional Intune license to use Cloud PKI.
How much does Intune Cloud PKI cost per user?
Pricing varies by region and licensing agreement, but in most cases organizations pay an additional Intune license fee on top of their existing Microsoft 365 plans. This commonly works out to roughly $2 dollars per user per month to get Cloud PKI capabilities.
When is Intune Cloud PKI worth it?
If you already have E5 and Intune Cloud PKI is included, it’s usually worth using because there’s no extra per-user PKI cost. If you’re on E3 or lower, it’s only cost‑effective for smaller environments where the incremental Intune Cloud PKI cost stays below what you’d pay for a dedicated PKI solution.
What are the main limitations of Intune Cloud PKI?
Intune Cloud PKI is primarily focused on Intune-managed devices. It doesn’t currently address many common PKI scenarios such as non‑Intune SCEP devices, advanced OCSP configurations, ACME automation, or broad smartcard/YubiKey use cases.
What is a good alternative to Intune Cloud PKI?
For organizations that need broader certificate coverage, support for non‑Intune devices, ACME, Azure Key Vault automation, or smartcard/YubiKey scenarios, EZCA is a strong alternative. It’s Azure‑native, designed with Intune SCEP in mind, and offers flat, predictable pricing.
