How can we improve Azure Active Directory?

← Azure Active Directory

enterprise certificate authority (ca)

Allow for creating Enterprise CA

19 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bill McIlhargey shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

4 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Mike Stephens commented  ·   ·  Flag as inappropriate

    HI Folks -- Interesting request and a dangerous one as well. Having the root of your PKI in the cloud should not be taken lightly. What's missing from this request is why? Azure AD DS is not a replacement for on-prem AD DS. It's to provided legacy authentication for traditional on-premises applications so you can host them in Azure. Most public endpoints using server authentication are typically protected using a public CA issued end-entity certificate. If you need some issued from your private CA, this can still be accomplished using PFX files. So, what is the scenario where certificates must be *issued* from the cloud? Where are the private keys for the CA stored? How is that protected? What enrollment protocol will be used? What's the connectivity between the requester and the CA? All good questions that can help me create a story for why this feature is needed. And yes, sorry @RadioGenX, Azure AD DS has a strong security posture that does not allow DA or EA permissions and you need EA permissions to install a CA.

    Also, did you know that if you need to issue certificates over the web and you have an enterprise CA-- you can use CEP/CES with your windows devices to enroll certificates just fine. You may want to check that out.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  • RadioGenX commented  ·   ·  Flag as inappropriate

    The wind just left my sails as I'm learning that I cannot create an enterprise PKI in my ADDS. I've been an on-prem AD admin for 20 years and have been rolling along nicely with my first ADDS set up in Azure. I've built my VM to host the certificate authority, joined it to my domain, and go to add the role .... and the enterprise pki button is grayed out!? I'm thinking I did something wrong, how can this be? This cannot possibly be by design. If this restriction is really by design, I'm going to have to re-think my entire strategy.

    PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 3

    Install-AdcsCertificationAuthority : CCertSrvSetup::InitializeDefaults: Access is denied. 0x80070005 (WIN32: 5
    ERROR_ACCESS_DENIED)
    At line:1 char:1

    REALLY?

  • Cameron Gocke commented  ·   ·  Flag as inappropriate

    To elaborate, with the Intune ability to integrate and issue certificates, but only from an Enterprise CA, this feature would be immensely helpful. We currently cannot use our Microsoft CA within Azure AD Domain Services b/c of the restriction on the ability to create an Enterprise CA.

  • Ivo Vitorino commented  ·   ·  Flag as inappropriate

    Allow the usage of Active Directory Certifiacte Services with an HSM on prem - i just cjecked and is my understanding that even Azure Key Vault CANNOT be use to create / store the CA keys - i see this as big issue under PKI requirements.

Azure Active Directory: Domain Services

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice