Before we get started we must understand what is Simple Certificate Enrollment Protocol (SCEP). SCEP is a certificate enrollment standard that enables devices to issue certificates by using a key provided by a 3rd party. The Certificate Authority (CA) must be able to communicate with this trusted third party (in this case Intune) to validate that the key provided by the device is allowed to request a certificate.
If you already have an on-premises AD with an ADCS CA, Microsoft has a guide on the other services you must add to issue certificates with Intune SCEP.
However, if you are using Intune you are probably trying to move away from legacy on-premise technology and move your security to the cloud. To create a secure and compliant CA for Intune, you can use EZCA the Azure based PKI (How to get EZCA in Azure). EZCA connects to Intune using their Third Party APIs and enables you to create SCEP certificates for intune without the overhead of managing a complex PKI.
Intune starts the certificate creation workflow by: sending a challenge to the client device, then the device creates a private key and a Certificate Signing Request (CSR) and sends it with the challenge to EZCA, EZCA then validates with intune wether this request is valid, once Intune approves the request, EZCA creates the certificate and Intune installs the resulting certificate in the device.
Now that we know how it works it is time to create your first Intune CA