As you are probably aware, Microsoft has introduced a new Intune service – Cloud PKI – to deliver cloud based certification authority services (see https://blog.hametbenoit.info/2024/03/01/intune-new-cloud-pki-feature/).
Well, this service has been updated to allow you to pause, delete or revoke your Cloud PKI.
NOTE if you have create the Cloud PKI during the preview or before the licensing requirements (Intune Suite or corresponding standalone license), you will not be able to perform any of these actions – you will need to meet the requirements.
Before we start, a bit of details about each actions – off course the last 2 (delete/revoke) will make any issued certificates invalid as could not be trusted anymore.
- Pause CA – Pause the CA to stop use of it while still keeping the service alive; it will stop delivering any new certificates, existing issued certificates should still be valid and trusted. When you pause the authority, you will need to also first remove any assignment to SCEP, WiFi, email or VPN policies configured to use it
- Revoke CA – Revoke all active leaf certificates and then revoke the CA; this should be the first action before deleting the CA from Intune, all issued certificates will be invalid
- Delete CA – Delete and remove the CA from Microsoft Intune
To be able to perform these actions, you need either of the following RBAC roles:
- Built-in role
- Intune Administrator
- Custom Intune role, assigned the following Intune permissions:
- Read CAs
- Disable and reenable CAs
- Revoke issued leaf certificates
To perform any of these actions, connect to your Intune tenant (https://intune.microsoft.com/) and access the Tenant administration\Cloud PKI blade
Then, select one of your authority – if you plan to completely delete your Cloud PKI you will have to perform the actions on the issuing authorit(y/ies) first before deleting the root one
You can then choose to either pause, revoke or delete