Should I Use Microsoft Cloud PKI?
Keytos Team |
- Updated: April 24, 2026In February 2024, Microsoft finally announced the release for Microsoft Cloud PKI! While this news seemed exciting and game-changing on the surface, a deeper dive reveals quite a few flaws with this long-awaited service. In this blog, we will go through the pros and cons of Microsoft Cloud PKI to help you decide whether or not it’s worth it.
Does Microsoft Cloud PKI Only Work for Intune? Or Is it a Full-Fledged Cloud PKI?
One of the biggest questions on engineers’ minds about the Microsoft Cloud PKI is whether or not it works for services besides Intune. The answer? No; Microsoft Cloud PKI is Intune-exclusive. This Intune exclusivity affects most organizations, not only organizations that use other MDMs such as Jamf Pro for their non-windows devices, but also, if you are Migrating from On-Prem PKI to Azure, you will not be able to issue certificates for your domain controllers or internal servers that currently rely on your on-premises PKI. In such cases, we recommend using a 3rd party PKI tool like EZCA, which is the first and only Azure-native CA and can be used to issue certificates for all of your Azure needs, including Intune, Azure Key Vault, Azure IoT Hub, and more.
What are the Missing Features of Microsoft Cloud PKI?
While Microsoft Cloud PKI is a step in the right direction, it’s important to note that it lacks many of the features that are essential for a comprehensive cloud PKI solution. Some of the missing features include support for SCEP for non-Intune MDMs, OCSP, smartcard certificates, ACME support, Azure Key Vault certificate rotation, and Azure IoT Hub integration. These missing features significantly limit the functionality of Microsoft Cloud PKI and make it less appealing for organizations that require a more robust PKI solution.
Does Microsoft Cloud PKI Integrate with Azure Key Vault?
A standout feature of Azure is the Azure Key Vault (AKV). Azure Key Vault is known for its capability to securely handle certificates and services, and its ability to seamlessly integrate them into Azure Virtual Machines (VMs). Also, for more than five years, AKV has been proficient in facilitating automated certificate rotation with DigiCert! Bafflingly, Microsoft decided to exclude Azure Key Vault integration from their cloud PKI. Introducing comparable features for private certificates would further enhance Microsoft Cloud PKI, making it an even more attractive choice, so the decision to not integrate with Azure Key Vault (a fellow Microsoft product by the way) is quite surprising.
If you want to see how great an Azure Key Vault certificate experience would have been, check out the video below:
Does Microsoft Cloud PKI Integrate with Azure IoT Hub?
Besides Intune, Azure IoT Hub represents the most significant application of certificates within Azure, with millions of certificates being issued for authentication purposes by our Azure IoT Hub CA. From a business perspective, implementing a private CA that caters to IoT devices has the potential to unlock billions in revenue through other cloud services, including datalake, IoT Central, and more. As such, Microsoft’s decision to not integrate the Microsoft Cloud PKI with Azure IoT Hub is mind boggling. Much like with Azure Key Vault, Azure IoT Hub is an existing Microsoft service (and, as aforementioned, a highly profitable one at that), so it makes no sense for Microsoft to exclude it from their cloud PKI; alas, that is exactly what they did.
Does Microsoft Cloud PKI Have OCSP?
As the use of certificate-based authentication (CBA) becomes increasingly popular, it is crucial to maintain the validity and trustworthiness of these certificates. A leading method for monitoring and managing certificate statuses is Online Certificate Status Protocol (OCSP). OCSP, distinct from older approaches such as Certificate Revocation Lists (CRLs), is tailored specifically for checking the revocation status of individual certificates, offering greater efficiency than traditional methods.
Regrettably, OCSP has not been incorporated into Microsoft’s Cloud PKI, which is a huge disappointment. Many organizations rely on OCSP to manage their certificates, so this exclusion from Microsoft is a real head scratcher.
Does Microsoft Cloud PKI Have ACME Support?
ACME stands as a highly effective protocol aimed at streamlining certificate issuance for web servers through automation. It primarily facilitates the automated deployment and management of certificates across web servers. ACME’s key goal is to make the acquisition, renewal, and administration of X.509 (aka SSL/TLS) certificates simpler and more straightforward.
Before ACME, these processes involved manual interventions that could be particularly cumbersome, especially in large-scale operations or situations with frequently-expiring certificates. In essence, ACME has been a significant time and effort saver for the security development and engineering communities. To sum it up in a few words: incorporating ACME support in a private certificate authority is essential for any cloud PKI.
Sadly, Microsoft’s Cloud PKI does not have ACME support. This is another shocking omission by the Microsoft team – as we mentioned earlier, having ACME support in a private CA nowadays is an absolute necessity, so its lack of inclusion in the Microsoft Cloud PKI is baffling and definitely a con.
Does Microsoft Cloud PKI Have Smartcard Certificate Distribution?
For many years, smartcards have been a prominent authentication method linked with CBA. Just last year, Microsoft introduced Azure CBA support, but this is limited to single-factor certificates. Notably, this Azure CBA support does not extend to the more secure variants of smartcards, nor does it include support for YubiKeys. You would also think that adding smartcard certificate distribution to their cloud PKI would be a no-brainer for Microsoft – somehow, you would be wrong. This is yet another in a long list of omissions from the Microsoft Cloud PKI that make us wonder if Microsoft is promoting an unfinished product.
Does Microsoft Cloud PKI Support Non-Intune SCEP?
Microsoft’s announcement of their cloud PKI primarily focuses on the issuance of certificates via Intune SCEP, but perhaps most significantly, it does not mention support for SCEP certificates not managed through Intune, like those for network devices. This lack of support is far from ideal – a brief review of some of the major Azure discussion forums reveals that the topic of SCEP capabilities has been a sensitive and significant issue for engineers for quite some time. Since the 2022 update, there has been a cautious hope among users that this feature would be part of the Microsoft Cloud PKI offering, but sadly and bafflingly, it is not.
How Much Does Microsoft Cloud PKI Cost?
Microsoft Cloud PKI can be purchased as an add-on to Microsoft Intune for $2.00 per user per month, which works great for small customers with only a few users, but for larger enterprises with thousands of users, this can quickly become an astronomical cost. For example, if you have 10,000 users, that’s $20,000 per month just for the Microsoft Cloud PKI add-on. In comparison, EZCA by Keytos costs a flat fee of $200 per month for unlimited users and certificates. So, if you have more than 100 users, EZCA is the most cost-effective option for Intune PKI.
Is Microsoft Cloud PKI Worth It?
Whether Microsoft Cloud PKI is worth it depends on how you plan to use it. If you are in a cloud-only environment that only needs certificates for Intune-managed devices and you have fewer than 100 users, then Microsoft Cloud PKI may be a good fit for your organization. However, if you need server certificates or have more than 100 users, then other Azure-native PKI solutions like EZCA may better meet your needs. If you want to learn more about how to set up a cloud PKI, you can set up a call with our identity experts to get a free PKI evaluation and find the best solution for your organization.
