enterprise certificate authority (ca)
Allow for creating Enterprise CA
Not having enterprise CA basically pigeon-holes company's that want to secure assets into a hybrid environment. Since AADDS will not support enterprise CA, company's must build out their own domain services, either on prem or in the cloud with AD-connect to support PKI type deployments.
Microsoft is not ready to support company's with full cloud environment's, and this is a great example.
Kevin McCormick commented
Mike, the use case myself and many others are trying to accomplish here is to eliminate on-prem AD DS. Microsoft's overall story is cloud-first, AAD join, Intune, etc. My endpoints can do 98% of what they need with AAD+Intune only. For the other 2%, I have dependencies on AD DS. That's the gap that AADDS is supposed to fill.
However, the authentication experience is lacking. We can't authenticate to AADDS with any form of SSO. Issuing certificates from an AADDS-hosted Enterprise CA via Intune is one way of fixing that problem. Another potential solution is enabling Windows Hello for Business configured for AAD join + Intune to authenticate to AADDS-joined resources. I believe the WHFB support is the driver behind https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31470550-domain-services.
Mike Stephens commented
HI Folks -- Interesting request and a dangerous one as well. Having the root of your PKI in the cloud should not be taken lightly. What's missing from this request is why? Azure AD DS is not a replacement for on-prem AD DS. It's to provided legacy authentication for traditional on-premises applications so you can host them in Azure. Most public endpoints using server authentication are typically protected using a public CA issued end-entity certificate. If you need some issued from your private CA, this can still be accomplished using PFX files. So, what is the scenario where certificates must be *issued* from the cloud? Where are the private keys for the CA stored? How is that protected? What enrollment protocol will be used? What's the connectivity between the requester and the CA? All good questions that can help me create a story for why this feature is needed. And yes, sorry @RadioGenX, Azure AD DS has a strong security posture that does not allow DA or EA permissions and you need EA permissions to install a CA.
Also, did you know that if you need to issue certificates over the web and you have an enterprise CA-- you can use CEP/CES with your windows devices to enroll certificates just fine. You may want to check that out.
Senior Program Manager
IAM Core | Domain Services
The wind just left my sails as I'm learning that I cannot create an enterprise PKI in my ADDS. I've been an on-prem AD admin for 20 years and have been rolling along nicely with my first ADDS set up in Azure. I've built my VM to host the certificate authority, joined it to my domain, and go to add the role .... and the enterprise pki button is grayed out!? I'm thinking I did something wrong, how can this be? This cannot possibly be by design. If this restriction is really by design, I'm going to have to re-think my entire strategy.
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 3
Install-AdcsCertificationAuthority : CCertSrvSetup::InitializeDefaults: Access is denied. 0x80070005 (WIN32: 5
At line:1 char:1
Cameron Gocke commented
To elaborate, with the Intune ability to integrate and issue certificates, but only from an Enterprise CA, this feature would be immensely helpful. We currently cannot use our Microsoft CA within Azure AD Domain Services b/c of the restriction on the ability to create an Enterprise CA.
Ivo Vitorino commented
Allow the usage of Active Directory Certifiacte Services with an HSM on prem - i just cjecked and is my understanding that even Azure Key Vault CANNOT be use to create / store the CA keys - i see this as big issue under PKI requirements.