How can we improve Azure Active Directory?

← Azure Active Directory

enterprise certificate authority (ca)

Allow for creating Enterprise CA

33 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bill McIlhargey shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

9 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Tre`Von McKay commented  ·   ·  Flag as inappropriate

    We're looking to setup issue certificates using the Intune connector but it requires an Enterprise CA which I currently cannot deploy to Azure AD Domain Services

  • Jake Edwards commented  ·   ·  Flag as inappropriate

    I've posted a similar idea here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/41094325-allow-azure-ad-to-serve-as-a-certificate-authority

    We want to get rid of our Domain one day, but certificate based authentication is holding us back. If we could leverage the devices certificates issued to InTune devices or similar, that might also work.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Not having enterprise CA basically pigeon-holes company's that want to secure assets into a hybrid environment. Since AADDS will not support enterprise CA, company's must build out their own domain services, either on prem or in the cloud with AD-connect to support PKI type deployments.

    Microsoft is not ready to support company's with full cloud environment's, and this is a great example.

  • Kevin McCormick commented  ·   ·  Flag as inappropriate

    Mike, the use case myself and many others are trying to accomplish here is to eliminate on-prem AD DS. Microsoft's overall story is cloud-first, AAD join, Intune, etc. My endpoints can do 98% of what they need with AAD+Intune only. For the other 2%, I have dependencies on AD DS. That's the gap that AADDS is supposed to fill.

    However, the authentication experience is lacking. We can't authenticate to AADDS with any form of SSO. Issuing certificates from an AADDS-hosted Enterprise CA via Intune is one way of fixing that problem. Another potential solution is enabling Windows Hello for Business configured for AAD join + Intune to authenticate to AADDS-joined resources. I believe the WHFB support is the driver behind https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31470550-domain-services.

  • Mike Stephens commented  ·   ·  Flag as inappropriate

    HI Folks -- Interesting request and a dangerous one as well. Having the root of your PKI in the cloud should not be taken lightly. What's missing from this request is why? Azure AD DS is not a replacement for on-prem AD DS. It's to provided legacy authentication for traditional on-premises applications so you can host them in Azure. Most public endpoints using server authentication are typically protected using a public CA issued end-entity certificate. If you need some issued from your private CA, this can still be accomplished using PFX files. So, what is the scenario where certificates must be *issued* from the cloud? Where are the private keys for the CA stored? How is that protected? What enrollment protocol will be used? What's the connectivity between the requester and the CA? All good questions that can help me create a story for why this feature is needed. And yes, sorry @RadioGenX, Azure AD DS has a strong security posture that does not allow DA or EA permissions and you need EA permissions to install a CA.

    Also, did you know that if you need to issue certificates over the web and you have an enterprise CA-- you can use CEP/CES with your windows devices to enroll certificates just fine. You may want to check that out.

    Mike Stephens
    Senior Program Manager
    Azure Identity
    IAM Core | Domain Services

  • RadioGenX commented  ·   ·  Flag as inappropriate

    The wind just left my sails as I'm learning that I cannot create an enterprise PKI in my ADDS. I've been an on-prem AD admin for 20 years and have been rolling along nicely with my first ADDS set up in Azure. I've built my VM to host the certificate authority, joined it to my domain, and go to add the role .... and the enterprise pki button is grayed out!? I'm thinking I did something wrong, how can this be? This cannot possibly be by design. If this restriction is really by design, I'm going to have to re-think my entire strategy.

    PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 3

    Install-AdcsCertificationAuthority : CCertSrvSetup::InitializeDefaults: Access is denied. 0x80070005 (WIN32: 5
    ERROR_ACCESS_DENIED)
    At line:1 char:1

    REALLY?

  • Cameron Gocke commented  ·   ·  Flag as inappropriate

    To elaborate, with the Intune ability to integrate and issue certificates, but only from an Enterprise CA, this feature would be immensely helpful. We currently cannot use our Microsoft CA within Azure AD Domain Services b/c of the restriction on the ability to create an Enterprise CA.

  • Ivo Vitorino commented  ·   ·  Flag as inappropriate

    Allow the usage of Active Directory Certifiacte Services with an HSM on prem - i just cjecked and is my understanding that even Azure Key Vault CANNOT be use to create / store the CA keys - i see this as big issue under PKI requirements.

Azure Active Directory: Domain Services

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice