0

I've been working with the PowerShell examples here https://github.com/microsoftgraph/powershell-intune-samples and have created a SCEP certificate profile via exporting a current profile that was manually defined in the Intune console, then importing. The import is successful.

The SCEP profile needs to be linked to a root certificate that is already created as a Trusted certificate profile but cannot find a way of linking through the Graph Api.

So when the SCEP profile is created from import it has to be linked through the Intune console, when linked the profile works as expected, certificate is issued from On-Prem CA.

Api Ref: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/intune_deviceconfig_windows81scepcertificateprofile_create

Intune SCEP configuration: (search for 'Choose a root CA certificate') https://learn.microsoft.com/en-us/intune/certificates-scep-configure

Thanks!

Darrel Miller
  • 139,164
  • 32
  • 194
  • 243
Jon Young
  • 1
  • 1

1 Answers1

0

This post has some time now, but my answer might still help someone. So you have to bind the Trusted Certificate policy on your payload.

E.G.: Imagine that you have a Trusted root certificate with Policy ID '123456ab-1234-56df-97ce-12ab34cd5678'

The property would look something like this:

rootCertificate@odata.bind: "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('123456ab-1234-56df-97ce-12ab34cd5678')"

The Payload example to create a Windows8.1 Scep profile would be like this: 

{"id":"00000000-0000-0000-0000-000000000000",
"displayName":"W81SCep",
"description":"",
"roleScopeTagIds":[],
"@odata.type":"#microsoft.graph.windows81SCEPCertificateProfile",
"renewalThresholdPercentage":20,
"subjectNameFormatString":null,
"certificateStore":"user",
"certificateValidityPeriodScale":"years",
"certificateValidityPeriodValue":1,
"rootCertificate@odata.bind":"https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('123456ab-1234-56df-97ce-12ab34cd5678')",
"subjectNameFormat":"commonName",
"subjectAlternativeNameType":"userPrincipalName",
"keyStorageProvider":"useSoftwareKsp",
"keyUsage":"digitalSignature,keyEncipherment",
"keySize":"size2048",
"hashAlgorithm":"sha2",
"extendedKeyUsages":[{"name":"Any Purpose","objectIdentifier":"2.5.29.37.0"}],
"scepServerUrls":["URLSCEP.com"]}

This 'rootCertficate' property can be found in the main API reference page for Windows8.1Scep profile as a "Relationship" property. You can find it here: https://learn.microsoft.com/en-us/graph/api/resources/intune-deviceconfig-windows81scepcertificateprofile?view=graph-rest-beta

It's really not very straight forward, I had to inspect a request on the Azure Portal to find out.

Ralms
  • 463
  • 5
  • 13