Sectigo.com
Shop Enterprise Partners Resources

Configuring Intune SCEP

SCEP is a certificate enrollment protocol standard designed to provide scalability to digital certificate issuance.

The Intune SCEP integration is only available if enabled for your account. For more information, contact your Sectigo account manager.

The process of configuring Azure and SCM for use with Intune SCEP involves the following:

  1. Verify you have satisfied the prerequisites.

  2. Register an application in Azure.

  3. Add an Azure account in SCM connected to the registered application.

  4. Add Intune SCEP enrollment endpoints.

  5. Create SCEP certificate profiles in the Microsoft Intune admin center.

Prerequisites

SCM integration with Azure Intune SCEP requires the following:

  • An active Azure subscription.

  • Azure Global Administrator permissions.

  • Intune Company Portal installed on all applicable devices.

  • User and/or device groups defined in Azure depending on which type of certificates will be issued.

  • Root and intermediate trusted certificate profiles created for each platform you intend to use.

    This requires the use of trusted root and intermediate certificates obtained from Sectigo. For more information, contact your Sectigo account administrator.

  • Access granted for the following Sectigo Certificate Manager public IP ranges:

    • 91.199.212.0/24

    • 91.209.196.0/24

    • 91.212.12.0/24

Register an application in Azure

  1. Log in to Microsoft Azure.

  2. Create an application to connect to SCM.

    1. Navigate to the App registrations page, and click New registration.

    2. Enter a name for the application.

    3. Select Accounts in this organizational directory only.

    4. Click Register.

      Save the Application (client) ID and Directory (tenant) ID for use when creating an Azure account in SCM.

  3. Create a client secret.

    1. Under the application, navigate to the Certificates & secrets page.

    2. On the Client secrets tab, click New client secret.

    3. Provide a description and expiration period for the client secret, and click Add.

      Save the Value for use when creating an Azure account in SCM.

  4. Set API permissions for the application.

    1. Under the application, navigate to the API permissions page.

    2. Click Add a permission, select Microsoft Graph  Application permissions, select Application.Read.All, and click Add permissions.

    3. Click Add a permission, select Intune  Application permissions, select scep_challenge_provider, and click Add permissions.

    4. Click Grant admin consent for <YourCompanyName>.

Now that the application is registered in Azure, you can create an Azure account in SCM. For more information, see Understanding Azure accounts.