Thursday, 23 May 2024

Secure email with Intune Cloud PKI in less than 15 minutes

This is incredible. I have experience with deploying PKI solutions in the past and it can be time-consuming and complex. My customer has a requirement to encrypt email but they have no internal PKI. I wanted to see how this could be achieved with the new Intune Cloud PKI. I was amazed, I was able to configure the entire solution in my lab in less than 15 minutes and now I can concentrate on the rest of my day.

Licensing first, Cloud PKI is part of the Intune Suite so I ensured that my test users had this license. Then on with the configuration. It's so easy. We'll have a look at how to create and deploy a Microsoft Cloud PKI root CA and issuing CA in Microsoft Intune. We will then create certificate profiles so that the issuing CA can issue certificates to devices.

The account you use to sign into the Microsoft Intune admin center must have permission to create CAs. The roles with built-in permissions include Microsoft Entra Global administrator and Intune service administrator account. 


Alternatively, you can assign Cloud PKI CA permissions to an admin user.


Root CA

In the Microsoft Intune admin center, navigate to Tenant administration > Cloud PKI, and then select Create.


Enter a name and optional description for your CA. Click Next.


Now we have the configuration settings. For CA type you have to choose Root CA, as this is the first one. For validity period, select 5, 10, 15, 20, or 25 years. For Extended Key Usages, select how you intend to use the CA. To prevent potential security risks, CAs are limited to select use. I need Email protection for now, but I may need Client authentication at a later stage. 


Enter a common name for the root CA and optionally enter other attributes.


Enter the required Key size and algorithm. The options are:
  • RSA-2048 and SHA-256
  • RSA-3096 and SHA-384
  • RSA-4096 and SHA-512
Click Next to continue. Configure a scope tag if required and click Next.


Review the configuration. You won't be able to edit these properties after you create the CA. If you need to change something later must create a new CA. If you are happy select Create.


After a short time you will see your root CA.


Have a look at the properties. Download the certificate, you will need it later.


Here is the certificate in .cer format.

Issuing CA

Next we will configure the Issuing CA. An issuing CA is required to issue certificates for Intune-managed devices. Cloud PKI automatically provides a SCEP service that acts as a certificate registration authority. It requests certificates from the issuing CA on behalf of Intune-managed devices using a SCEP profile.

In the Microsoft Intune admin center, navigate to Tenant administration > Cloud PKI, and then select Create.


Enter a name and optional description for your CA. Click Next.


This time we have more options (as we already have one Root CA). Choose Issuing CA as the CA type and Intune as the Root CA Source. Select your Root CA to link with the Issuing CA.


What is the function of the issuing CA? You will only see the options made available through the Root CA. 


I've selected email protection and client authentication again.


Common name is the only required field here.


You cannot configure the key size and algorithm as they are inherited from the root CA.


Review the summary and create the issuing CA.


Root CA and Issuing CA have now been created and are available in the Intune admin center. Note that, at the moment, it is not possible to delete these CAs without a support ticket.


Download the certificate and copy the SCEP URI. You will need them later.


Here we have our Root and Intermediate certificates.

Certificate Profiles

Now we need to create three certificate profiles.
  • Trusted certificate profile for the Cloud PKI root CA
  • Trusted certificate profile for the Cloud PKI issuing CA
  • SCEP certificate profile for the Cloud PKI issuing CA
Let's do the Root CA first.


Create a configuration profile using the Trusted certificate template.


Browse to the .CER file download earlier from the Root CA.


Assign the profile to a group.


Create a second profile using the Trusted Certificate template. Browse to the CA file downloaded from the Issuing CA.


Next we need a configuration profile based on the SCEP certificate template.


Default settings will work here. Note that key storage provider, key usage, key size and hash algorithm are not pre-configured but are required.


Select your Root CA and extended key usage. I've chosen secure email and client authentication again. Enter the SCEP URI that you copied earlier.


Create and assign the SCEP profile.

On the test device

So, what do we see on the test device?


The root and intermediate certificates can be seen in the Trusted Root Certificate Authority store.


The SCEP certificate for the logged in user can be seen in the Personal store.


In the Intune admin center, browse to Tenant Admin > Cloud PKI > Issuing CA > View all certificates to see a list of all the SCEP certificates issued to users.  


Drill into a certificate to see the details.


Now, in the Outlook client, select File from the main menu, then click Options. Select Trust Center at the bottom of the menu on the left side of the Outlook Options. Click the Trust Center Settings button. Select Email Security from the left-hand menu of the Trust Center window and you will see the email encryption settings.


Click Settings to see the certificate details.


The user now has the option to encrypt emails using S/MIME.

I hope this help, until next time........