0

I can setup certificate distribution and wireless profiles in Intune for devices with user affinity and this works fine. The user account is synchronised with our on site AD server and NPS has an account to use for permissions. However for devices purely in azure without user affinity there's no account for NPS to use for permissions. I could create these manually but is there a way to do this using microsoft applications, either by authenticating against Azure or getting the accounts created in AD?

Thanks

John Sayce
  • 7
  • 4

1 Answers1

0

If you synchronize the AAD computer objects to AD, you can use NPS for authentication. Andrew Blackburn wrote an article about this including a PowerShell script to create the copies in AD. Chris Beattie wrote another article based on Andrew's that adds some thoughts on how to get the certificates on the devices.

However, Microsoft has recently published a fix for the Certifried vulnerability that prevents using the copied device objects no later than 2023-05-09, as they have different SIDs.

So, what are solutions that still work in May 2023?

  • Hybrid-join your devices. IMHO, this is a step back, as you increase your on-prem dependency.
  • Use a different NAC that does not require AD-objects, which is virtually any but NPS (e.g. Cisco ISE). I work for the company that offers RADIUS-as-a-Service, so this is my natural recommendation if you want a cloud-based infrastructure.
Froggy
  • 101
  • 1