Learn How Intune SCEP Validates Certificate Issuance

Intune SCEP profiles allow you to issue certificates for all your devices on behalf of your users, enabling scenarios such as X509 authentication to wifi or VPN

What is SCEP?

Before we get started we must understand what is Simple Certificate Enrollment Protocol (SCEP). SCEP is a certificate enrollment standard that enables devices to issue certificates by using a key provided by a 3rd party. The Certificate Authority (CA) must be able to communicate with this trusted third party (in this case Intune) to validate that the key provided by the device is allowed to request a certificate.

How to Connect an On-Premises SCEP CA to Intune

If you already have an on-premises AD with an ADCS CA, Microsoft has a guide on the other services you must add to issue certificates with Intune SCEP.

How to Create SCEP Certificates for Intune Using an Azure Based Certificate Authority

However, if you are using Intune you are probably trying to move away from legacy on-premise technology and move your security to the cloud. To create a secure and compliant CA for Intune, you can use EZCA the Azure based PKI (How to get EZCA in Azure). EZCA connects to Intune using their Third Party APIs and enables you to create SCEP certificates for intune without the overhead of managing a complex PKI.

How Intune SCEP Certificate Issuance Works

Intune starts the certificate creation workflow by: sending a challenge to the client device, then the device creates a private key and a Certificate Signing Request (CSR) and sends it with the challenge to EZCA, EZCA then validates with intune whether this request is valid, once Intune approves the request, EZCA creates the certificate and Intune installs the resulting certificate in the device.

How Intune Issues SCEP Certificates using an Azure CA

How to Revoke Intune SCEP Certificates

When an employee leaves the company or a device is compromised, it is important to revoke the certificates issued to them. EZCA automatically revokes SCEP certificates when the device or user is removed from Intune (usually within a few hours). However, certificate revocation only takes effect once the Certificate Revocation List (CRL) is updated and distributed. Depending on how your SCEP CA is configured, this process can take days. Note that if you use OCSP, revocation can be checked in real-time, although very few applications support OCSP for SCEP certificates.

If you need to manually revoke a SCEP certificate prior to the automatic revocation, you can do so by following these steps outlined in this guide.

Despite a revoked certificate remaining valid until the CRL is updated, Entra ID can block login attempts using Conditional Access from users or devices that have been deleted or disabled, even if their certificates are still technically valid. Make sure to evaluate your security requirements and implement Entra ID Conditional Access policies for a defense-in-depth approach to securing access.

Additionally, if you are using EZRADIUS for your network access with EZCA SCEP certificates, disabled or deleted users and devices can be blocked from accessing the network immediately, if you have enabled “Match With Entra ID Objects” in your EZRADIUS Access Policy.

Next Steps

Now that we know how it works it is time to create your first Intune CA