S/MIME Certificate Management with Microsoft Azure Active Directory and inTune using SSL.com Azure Integration Tool

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Copy article link

What is Azure Active Directory?

Azure Active Directory (Azure AD) functions as a robust identity and access management service by integrating the management of digital certificates. This capability allows organizations to centralize their certificate management, improving security and simplifying administrative tasks. By leveraging Azure AD, enterprises ensure that their digital certificates are managed with high availability and compliance with industry standards, thus safeguarding sensitive information and communications.

What is Microsoft Intune? 

Microsoft Intune streamlines the implementation of S/MIME certificates across various devices, enhancing email security through encryption and digital signatures. By leveraging Intune, organizations can automatically deliver S/MIME signing and encryption certificates to devices running on Android, iOS/iPadOS, macOS, and Windows 10/11. On iOS devices using the native mail client, and on iOS and Android devices using Outlook, the S/MIME certificates are automatically associated with the mail profiles, ensuring seamless integration and enhanced email security. For Windows and macOS platforms, as well as other mail clients on iOS and Android, Intune will  facilitate the distribution of S/MIME certificates. However,  users must manually enable S/MIME in their respective mail applications and select their certificates. This capability of Intune simplifies the deployment process, ensuring that S/MIME certificates are readily available on managed devices, thereby enhancing overall email security by enabling encrypted and signed email communications across the organization.
Strengthen your email security and protect sensitive data with SSL.com S/MIME certificates.

Secure Your Email

Go to top

How to Configure Microsoft Intune and Microsoft Active Directory for S/MIME Certificates

Prerequisites

Listed below are the prerequisites for the API. These need to be configured on the Intune tenant to which certificates will be imported from SSL.com.

Permission requirements for Enterprise application to import the certificate

  1. Under App registrations >> application name, click API Permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Click Delegated Permissions and search for user.read. Check the boxes for User.Read and User.Read.All.
  5. Click Delegated permissions and search for “group”. Check the box for Group.ReadWrite.All.
  6. Click Delegated Permissions and search for “DeviceManagementApps”. Check the box for DeviceManagementApps.ReadWrite.All.
  7. Search for “DeviceManagementConfiguration”. Check the boxes for DeviceManagementConfiguration.Read.All and DeviceManagementConfiguration.ReadWrite.All. Proceed to click the Add permissions button.
  8. Click Add a permission.
  9. Select Microsoft Graph.
  10. Click Application permissions and search for “user.read”. Check the boxes for User.Read.All and User.ReadWrite.All.
  11. Click Application permissions and search for “group”. Check the box for Group.ReadWrite.All.
  12. Click Application permissions and search for “deviceManagementApps”. Check the box for DeviceManagementApps.ReadWrite.All
  13. Click Application permissions and search for “DeviceManagementService”. Check the box for DeviceManagementService.ReadWrite.All
  14. Search for “DeviceManagementConfiguration” and check the boxes for DeviceManagementConfiguration.Read.All and DeviceManagementConfiguration.ReadWrite.All. Proceed to click the Add Permissions button.
  15. Once all the rights are assigned, click Grant admin consent for [name of organization].
  16. Click Yes to grant the permission
  17. The permission should now be granted successfully.

How to Export Certificates to Azure Active Directory Using SSL.com Azure Integration Tool

The following sections provide instructions on how to use the SSL.com Azure Integration Tool to export certificates to Azure Active Directory. 

Requirements from SSL.com

  1. An active Identity pre-validation agreement also known as an Enterprise PKI (EPKI) Agreement. Find instructions here (Enterprise PKI (EPKI) Agreement Setup) to submit and activate this agreement. Once activated, the steps in the next section can be performed.
  2. Configured Microsoft Entra and Intune account, as described in this previous section: How to Configure Microsoft Intune and Microsoft Active Directory for S/MIME Certificates.

Configure Azure Sync

  1. Login to your SSL.com account and click Integrations on the top menu. From the listed options,, click Azure AD.
  2. Fill out the required fields for Azure integration. Afterwards, click the Save button.
    1. Client ID. Application (client) ID.
    2. Client Secret. Copy client secret(s) value from client credentials.
    3. Tenant ID. Directory (tenant) ID.
    4. Intune Public Key. Base64 version of the Public key exported from Intune connector server. For more details, check out this Microsoft resource.

Use the SSL.com Azure Integration Tool for Issuance of S/MIME certificates

  1. Once the Azure setting has been created. Click the Authorize link. 

  2. Click Azure Users so that the list of users from Azure can be imported to SSL.com’s system.

  3. You will be prompted to login to your Microsoft account.
  4. Click the Import Users button on the SSL.com Azure Integration Tool.
  5. SSL.com will notify that the information of the Azure users who will be assigned digital certificates are in process of being imported. Reload the page to confirm that these have been imported. 
  6. SSL.com will show the list of Azure users, indicated by their first name, last name, and email address. Tick the check box for all the users that will be assigned with a certificate.  The amount of users displayed in the list can be increased by clicking the drop-down arrow at the lower-left of the page. Upon finalization of selected users, click the Enroll Certificate button to proceed.
  7. Accomplish the requirements for the certificate.
    1. Certificate: Choose the type of certificate you want to assign for the selected users.
    2. Duration: Specify the length of time before the certificate expires. 
    3. Intended Purpose: Choose among General Purpose, SMIME Encryption, or SMIME Signing.
    4. After the choices are finalized, click the Add button.

  8. Each user will be assigned a new certificate order from here. With the presence of an Identity pre-validation agreement, each order will be auto-validated and issued. The successful issuance of the certificate can be confirmed by clicking Orders from the top menu, followed by the details link of the particular order. By scrolling down and clicking the END ENTITY CERTIFICATES section, the details of the certificate will appear including its ISSUED status. 


Related Guides: 

LDAP, or Lightweight Directory Access Protocol, is a widely recognized standard for managing directory information services, including user and group data within a network. Just like Azure Active Directory, LDAP provides robust management of digital certificates, though the two systems employ distinct security protocols.  If you are looking to manage your S/MIME certificates with a service that uses LDAP, please refer to this SSL.com article: LDAP Integration with S/MIME Certificates.

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey