Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Intune

Extend the SCEP enrollment profile with additional Active Directory attributes

At the moment only two user attributes (CN and UPN) are available to use in SCEP profiles. With our current MDM solution it is possible to use every AD attribute to request a certificate with this unique attribute. Both Intune and the other MDM solution are using the same SCEP server so it is possible. This seems like extending a table in Intune or using a text box with variables. We have the need to use ExtensionAttributes as the unique identifier for a certificate.

146 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Mathieu shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

AS of the week of April 23, 2018, you can use the OnPremisesSamAccountName the common name in a custom subject on an SCEP certificate profile. For example, you can use CN={OnPremisesSamAccountName}).

As of Dec 11, when you create a SCEP certificate profile in Intune, you can now use the AAD_DEVICE_ID variable when you build the custom subject name. When the certificate is requested using this SCEP profile, the variable is replaced with the AAD device ID of the device making the certificate request.
https://docs.microsoft.com/en-us/intune/whats-new

I don’t think it gives you everything you want, but how close are we?

8 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Stephan commented  ·   ·  Flag as inappropriate

    We need to add a number of custom attributes from AAD (i.e. employees entity, employees-country, employees-language, …) to the certificate.
    Can't you come up with a mechanism to flexibly add any users/ device AAD Attribute to the certificate request?

  • Anonymous commented  ·   ·  Flag as inappropriate

    Need more custom attributes.. ExtensionAttributes and preferably custom attributes

  • Marcel Brumme commented  ·   ·  Flag as inappropriate

    Well, I agree with that idea! We do also need our employeeID, which is already in AAD, so we just want to place it as "UID" in the CSR... Not possible at that time forces us to use AirWatch instead!

  • Florian Geiger commented  ·   ·  Flag as inappropriate

    The Custom Attributes don't work for iOS SCEP Profiles, only for Android. I would extend that request to that as well

  • Derek commented  ·   ·  Flag as inappropriate

    Today we can only add the AAD_Device_ID variable in the CN field of the subject.
    We would like more flexibility on this such as putting it in other fields in the subject or in the SAN.

    The CN field is usually what is presented to the user (if they get a popup asking for a certificate) and having the device ID in there is not helpful

    But we do want the ID in the cert somewhere

Feedback and Knowledge Base