Skip to content
SCEPman | Intune SCEP-as-a-Service
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
dist Updated from GitLab Aug 19, 2019
docs/images documentation update May 6, 2019
marketplace Marketplace update Aug 20, 2019
azuredeploy-beta.json pid added Jul 24, 2019
azuredeploy.json pid added Jul 24, 2019



SCEPman shall implement a fully unattended Certificate Authority for Microsoft Intune based device certificate deployment described in this document:

“In Microsoft Intune, you can add third-party certificate authorities (CA), and have these CAs issue and validate certificates using the Simple Certificate Enrollment Protocol (SCEP). Add third-party certification authority provides an overview of this feature, and describes the Administrator tasks in Intune.”

The intended implementation is a .net core C# based Azure WebApp providing the SCEP and Intune API, using Bouncy Castle to implement the necessary certificate request handling and Azure Key Vault based RootCA and certificate signing. No other component should be involved, neither a database nor any other stateful storage except the Key Vault. That said, the concept will not need any backup procedures.


Register an application in Azure Active Directory

Add a new app registration in Azure Active Directory

  1. Login to your Azure Portal with an Admin Account.
  2. Navigate to Azure Active Directory
  3. Choose App registrations
  4. Click New registration
  5. Set supported account types to Accounts in this organizational directory only Screenshot
  6. Save the Application (client) ID somewhere because you will need it for the deployment Screenshot

Manage authentication

  1. Select the Authentication blade
  2. Check ID tokens in the Advaned settings section
  3. Save your changes Screenshot

Create a client secret

  1. Select the Certificates & secrets blade
  2. Add a new client secret with New client secret
  3. Define a Description and set expiration to Never
  4. Save the generated secret somewhere because you are not able to look it up again

Set API permissions

  1. Select the API permissions blade
  2. Click Add a permission to grant required permissions Screenshot
  3. Select Intune
  4. Choose Application permissions as the permission type
  5. Click scep_challenge_provider and confirm with Add permission
  6. Click Add a permission once again
  7. Select Microsoft Graph
  8. Expand Dirctory and check Directory.Read.All and confirm with Add permission
  9. Click Grant admin consent and confirm the displayed dialog with Yes Screenshot

Your API permissions should be configured like this: Screenshot

Deploy to Azure

When the app registration is done use this button to deploy SCEPMan to your Azure subscription.

Instead, you can also Deploy the Beta Channel.

When clicking the deploy button you will see this form dialog Screenshot

  1. Select an existing resource group or create a new one. The SCEPMan resources will be deployed in this resource group.
  2. Set the location according to your location
  3. Insert the GUID of the app registriation which you have created in the steps before
  4. Insert the client secret of this app registration
  5. Define a name for key vault, app service plan and web site
  6. Agree to the terms and conditions by clicking the checkbox
  7. Click Purchase

Sometimes it is necessary to restart the app service before SCEPMan runs properly.

Create root certificate

  • Send a post request to certsrv/mscep/mscep.dll/pkiclient.exe/create-root
  • Please look into the logs in case of any error.
You can’t perform that action at this time.