Recently, Microsoft finally announced the release date for the Microsoft Cloud PKI! While this news seems exciting and game-changing on the surface, a deeper dive reveals quite a few flaws with this long-awaited service. In this blog, we will go through the pros and cons of Microsoft Cloud PKI to help you decide whether or not it’s worth it.
Let’s get right into it, shall we? One of the biggest questions on engineers’ minds about the Microsoft Cloud PKI is whether or not it works for services besides Intune. The answer? No; Microsoft Cloud PKI is Intune-exclusive. This Intune exclusivity is shocking, as many teams use other services such as ManageEngine for their certificate management needs. If that sounds like your PKI team, then the Microsoft Cloud PKI just isn’t for you, at no fault of your own.
Once you get past the initial excitement of Microsoft announcing this cloud PKI, your next logical step would be to see what it does and doesn’t have. Unfortunately for engineers everywhere, the Microsoft Cloud PKI has a ton of startling omissions. Let’s take a look at the biggest snubs, at least in our opinion:
A standout feature of Azure is the Azure Key Vault (AKV). Azure Key Vault is known for its capability to securely handle certificates and services, and its ability to seamlessly integrate them into Azure Virtual Machines (VMs). Also, for more than five years, AKV has been proficient in facilitating automated certificate rotation with DigiCert! Bafflingly, Microsoft decided to exclude Azure Key Vault integration from their cloud PKI. Introducing comparable features for private certificates would further enhance Microsoft Cloud PKI, making it an even more attractive choice, so the decision to not integrate with Azure Key Vault (a fellow Microsoft product by the way) is quite surprising.
If you want to see how great an Azure Key Vault certificate experience would have been, check out the video below:
Besides Intune, Azure IoT Hub represents the most significant application of certificates within Azure, with millions of certificates being issued for authentication purposes by our Azure IoT Hub CA. From a business perspective, implementing a private CA that caters to IoT devices has the potential to unlock billions in revenue through other cloud services, including datalake, IoT Central, and more. As such, Microsoft’s decision to not integrate the Microsoft Cloud PKI with Azure IoT Hub is mind boggling. Much like with Azure Key Vault, Azure IoT Hub is an existing Microsoft service (and, as aforementioned, a highly profitable one at that), so it makes no sense for Microsoft to exclude it from their cloud PKI; alas, that is exactly what they did.
As the use of certificate-based authentication (CBA) becomes increasingly popular, it is crucial to maintain the validity and trustworthiness of these certificates. A leading method for monitoring and managing certificate statuses is Online Certificate Status Protocol (OCSP). OCSP, distinct from older approaches such as Certificate Revocation Lists (CRLs), is tailored specifically for checking the revocation status of individual certificates, offering greater efficiency than traditional methods.
Regrettably, OCSP has not been incorporated into Microsoft’s Cloud PKI, which is a huge disappointment. Many organizations rely on OCSP to manage their certificates, so this exclusion from Microsoft is a real head scratcher.
ACME stands as a highly effective protocol aimed at streamlining certificate issuance for web servers through automation. It primarily facilitates the automated deployment and management of certificates across web servers. ACME’s key goal is to make the acquisition, renewal, and administration of X.509 (aka SSL/TLS) certificates simpler and more straightforward.
Before ACME, these processes involved manual interventions that could be particularly cumbersome, especially in large-scale operations or situations with frequently-expiring certificates. In essence, ACME has been a significant time and effort saver for the security development and engineering communities. To sum it up in a few words: incorporating ACME support in a private certificate authority is essential for any cloud PKI.
Sadly, Microsoft’s Cloud PKI does not have ACME support. This is another shocking omission by the Microsoft team – as we mentioned earlier, having ACME support in a private CA nowadays is an absolute necessity, so its lack of inclusion in the Microsoft Cloud PKI is baffling and definitely a con.
For many years, smartcards have been a prominent authentication method linked with CBA. Just last year, Microsoft introduced Azure CBA support, but this is limited to single-factor certificates. Notably, this Azure CBA support does not extend to the more secure variants of smartcards, nor does it include support for YubiKeys. You would also think that adding smartcard certificate distribution to their cloud PKI would be a no-brainer for Microsoft – somehow, you would be wrong. This is yet another in a long list of omissions from the Microsoft Cloud PKI that make us wonder if Microsoft is promoting an unfinished product.
Microsoft’s announcement of their cloud PKI primarily focuses on the issuance of certificates via Intune SCEP, but perhaps most significantly, it does not mention support for SCEP certificates not managed through Intune, like those for network devices. This lack of support is far from ideal – a brief review of some of the major Azure discussion forums reveals that the topic of SCEP capabilities has been a sensitive and significant issue for engineers for quite some time. Since the 2022 update, there has been a cautious hope among users that this feature would be part of the Microsoft Cloud PKI offering, but sadly and bafflingly, it is not.
According to Microsoft, the Microsoft “Cloud PKI as a standalone add-on will be $2 per user per month.” On the surface, $2 a month doesn’t look bad, at least not aesthetically – heck, that’s less than buying pretty much anything at Starbucks once a month! What’s the catch? Those two words in the middle: “per user.” $2 per user per month is, to put it mildly, insane. For smaller organizations that have been patiently awaiting the release of a Microsoft Cloud PKI, this is an absolute gut punch and is beyond detrimental to their bottom line – honestly, we know some large organizations that would be pretty peeved about having to spend all that money too.
If it feels like this whole blog has been just piling on the Microsoft Cloud PKI over and over again…you’re right. But what are we to do otherwise? The fact is, the Microsoft Cloud PKI is simply not worth it, no matter how you slice it. The combination of the lack of any substantial features and the crazy high price tag put this atop the “Do Not Buy” list.
The initial response to the announcement has been a lot of things but can be largely summed up in one word: disillusionment. Many have regarded Microsoft as a global leader in PKI, but in recent years, they’ve been drastically outpaced by other technologies like EZCA that better fulfill customer PKI needs for Azure. The security community is desperately in need of a more comprehensive solution, and there is a notable sense of letdown due to the limited functionality of this new Microsoft Cloud PKI. As a result, engineers are increasingly turning towards more advanced and sophisticated PKI solutions, such as EZCA from Keytos, which is the first Azure-native CA.
So, in conclusion, save your money and look elsewhere from Microsoft when it comes to a cloud PKI. Alternatives like EZCA prove that there are better services for markedly less money, and until Microsoft steps up their game, it will stay that way.
