Intune – You can now pause, revoke or delete your Cloud PKI

As you are probably aware, Microsoft has introduced a new Intune service – Cloud PKI – to deliver cloud based certification authority services (see https://blog.hametbenoit.info/2024/03/01/intune-new-cloud-pki-feature/).

Well, this service has been updated to allow you to pause, delete or revoke your Cloud PKI.

NOTE if you have create the Cloud PKI during the preview or before the licensing requirements (Intune Suite or corresponding standalone license), you will not be able to perform any of these actions – you will need to meet the requirements.

Before we start, a bit of details about each actions – off course the last 2 (delete/revoke) will make any issued certificates invalid as could not be trusted anymore.

  1. Pause CA – Pause the CA to stop use of it while still keeping the service alive; it will stop delivering any new certificates, existing issued certificates should still be valid and trusted. When you pause the authority, you will need to also first remove any assignment to SCEP, WiFi, email or VPN policies configured to use it
  2. Revoke CA – Revoke all active leaf certificates and then revoke the CA; this should be the first action before deleting the CA from Intune, all issued certificates will be invalid
  3. Delete CA – Delete and remove the CA from Microsoft Intune

To be able to perform these actions, you need either of the following RBAC roles:

  • Built-in role
    • Intune Administrator
  • Custom Intune role, assigned the following Intune permissions:
    • Read CAs
    • Disable and reenable CAs
    • Revoke issued leaf certificates

To perform any of these actions, connect to your Intune tenant (https://intune.microsoft.com/) and access the Tenant administration\Cloud PKI blade

image

Then, select one of your authority – if you plan to completely delete your Cloud PKI you will have to perform the actions on the issuing authorit(y/ies) first before deleting the root one

You can then choose to either pause, revoke or delete

image

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.