SSL.com

S/MIME Certificate Management with Microsoft Azure Active Directory and inTune using SSL.com Azure Integration Tool

Introduction

Microsoft Intune allows for the integration of imported PFX certificates, which are often used for S/MIME encryption in email profiles. Intune supports the import of PFX certificates across these platforms:

Understanding S/MIME Certificate Deployment Using Intune

When Intune is used to deploy an imported PFX certificate to a user, two key components play a role alongside the device:

Specific Roles of Actors

Workflow Summary

  1. The organization registers their enterprise app in Entra ID.
  2. The enterprise app details are also registered with SSL.com.
  3. Intune administrators purchase certificates for users from SSL.com.
  4. During the purchase, the administrators select the purpose of the certificate, such as general use, S/MIME Encryption, or S/MIME Signing.
  5. The PFX certificate is then imported into Intune for the user’s account.
  6. Intune connects with the Intune connector to validate the certificate.
  7. Once validated, Intune deploys the certificate to the user’s device.
The specific steps for the workflow and integration are discussed in the following sections.
Strengthen your email security and protect sensitive data with SSL.com S/MIME certificates.

Secure Your Email

How to Configure Microsoft Intune and Microsoft Active Directory for S/MIME Certificates

Prerequisites

Listed below are the prerequisites for the API. These need to be configured on the Intune tenant to which certificates will be imported from SSL.com.

Permission requirements for Enterprise application to import the certificate

  1. Under App registrations >> application name, click API Permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Click Delegated Permissions and search for user.read. Check the boxes for User.Read and User.Read.All.
  5. Click Delegated permissions and search for “group”. Check the box for Group.ReadWrite.All.
  6. Click Delegated Permissions and search for “DeviceManagementApps”. Check the box for DeviceManagementApps.ReadWrite.All.
  7. Search for “DeviceManagementConfiguration”. Check the boxes for DeviceManagementConfiguration.Read.All and DeviceManagementConfiguration.ReadWrite.All. Proceed to click the Add permissions button.
  8. Click Add a permission.
  9. Select Microsoft Graph.
  10. Click Application permissions and search for “user.read”. Check the boxes for User.Read.All and User.ReadWrite.All.
  11. Click Application permissions and search for “group”. Check the box for Group.ReadWrite.All.
  12. Click Application permissions and search for “deviceManagementApps”. Check the box for DeviceManagementApps.ReadWrite.All
  13. Click Application permissions and search for “DeviceManagementService”. Check the box for DeviceManagementService.ReadWrite.All
  14. Search for “DeviceManagementConfiguration” and check the boxes for DeviceManagementConfiguration.Read.All and DeviceManagementConfiguration.ReadWrite.All. Proceed to click the Add Permissions button.
  15. Once all the rights are assigned, click Grant admin consent for [name of organization].
  16. Click Yes to grant the permission
  17. The permission should now be granted successfully.

How to Export Certificates to Azure Active Directory Using SSL.com Azure Integration Tool

The following sections provide instructions on how to use the SSL.com Azure Integration Tool to export certificates to Azure Active Directory. 

Requirements from SSL.com

  1. An active Identity pre-validation agreement also known as an Enterprise PKI (EPKI) Agreement. Find instructions here (Enterprise PKI (EPKI) Agreement Setup) to submit and activate this agreement. Once activated, the steps in the next section can be performed.
  2. Configured Microsoft Entra and Intune account, as described in this previous section: How to Configure Microsoft Intune and Microsoft Active Directory for S/MIME Certificates.

Configure Azure Sync

  1. Login to your SSL.com account and click Integrations on the top menu. From the listed options,, click Azure AD.
  2. Fill out the required fields for Azure integration. Afterwards, click the Save button.
    1. Client ID. Application (client) ID.
    2. Client Secret. Copy client secret(s) value from client credentials.
    3. Tenant ID. Directory (tenant) ID.
    4. Intune Public Key. Base64 version of the Public key exported from Intune connector server. For more details, check out this Microsoft resource.

Use the SSL.com Azure Integration Tool for Issuance of S/MIME certificates

  1. Once the Azure setting has been created. Click the Authorize link. 

  2. Click Azure Users so that the list of users from Azure can be imported to SSL.com’s system.

  3. You will be prompted to login to your Microsoft account.
  4. Click the Import Users button on the SSL.com Azure Integration Tool.
  5. SSL.com will notify that the information of the Azure users who will be assigned digital certificates are in process of being imported. Reload the page to confirm that these have been imported. 
  6. SSL.com will show the list of Azure users, indicated by their first name, last name, and email address. Tick the check box for all the users that will be assigned with a certificate.  The amount of users displayed in the list can be increased by clicking the drop-down arrow at the lower-left of the page. Upon finalization of selected users, click the Enroll Certificate button to proceed.
  7. Accomplish the requirements for the certificate.
    1. Certificate: Choose the type of certificate you want to assign for the selected users.
    2. Duration: Specify the length of time before the certificate expires. 
    3. Intended Purpose: Choose among General Purpose, SMIME Encryption, or SMIME Signing.
    4. After the choices are finalized, click the Add button.

  8. Each user will be assigned a new certificate order from here. With the presence of an Identity pre-validation agreement, each order will be auto-validated and issued. The successful issuance of the certificate can be confirmed by clicking Orders from the top menu, followed by the details link of the particular order. By scrolling down and clicking the END ENTITY CERTIFICATES section, the details of the certificate will appear including its ISSUED status. 


Related Guides: 

LDAP, or Lightweight Directory Access Protocol, is a widely recognized standard for managing directory information services, including user and group data within a network. Just like Azure Active Directory, LDAP provides robust management of digital certificates, though the two systems employ distinct security protocols.  If you are looking to manage your S/MIME certificates with a service that uses LDAP, please refer to this SSL.com article: LDAP Integration with S/MIME Certificates.
Exit mobile version