Split-Tenancy

Overview

SCEPman can be set up to function from an Azure tenant separate from the Azure/Intune tenant for which it issues certificates to users and/or devices. This configuration, known as split-tenancy, is especially helpful for MSPs that would like to consolidate Azure infrastructure costs across their customers while maintaining a dedicated backend and unique CA for each of those customers.

Split-tenancy comes along with a major disadvantage: can no longer be used. This means authentication against the Graph API (Azure AD and Intune) is handled using an App registration and Client secret, which has to be managed (by the MSP) as it expires.

In the following, we refer to the hosting tenant as home tenant, while to the customer tenant as target tenant. SCEPman resources will exist in the home tenant, and the managed devices in the target tenant as in the graphic below:

Configuration Steps

In SCEPman (Home Tenant)

1. Navigate to the SCEPman App service and then to "Settings" --> "Environment variables". Locate the following parameters and delete them:

1. Rename the following settings (do not change their values):

Create the following new environment variables if you haven't done that already during creation of the app registration:

1. Apply the changes.

2. Restart the SCEPman App service.

Certificate Master

1. Navigate to the Certificate Master App service and then to "Settings" > "Environment variables".

2. Now you have two options:

   1. If you want users from your home tenant to log in to Certificate Master and issue certificates, which includes guest users in your home tenant, e.g. from your target tenant.

If that is the case, rename the following settings (do not change their values):

b. You want users from your target tenant to log in to Certificate Master and issue certificates, which includes guest users in your target tenant, e.g. from your home tenant.

If that is the case, do the following:

• Open a PowerShell or Azure Cloud Shell in your target tenant and run the following commands:

Install-Module SCEPman -Scope CurrentUser -Force
Register-SCEPmanCertMaster -CertMasterBaseURL <url>

Replace <url> with your Certificate Master URL

• The CMDlet will output an Application Id and a Tenant Id (that of the target tenant). Enter these two values as

  • AppConfig:AuthConfig:HomeApplicationId and

  • AppConfig:AuthConfig:HomeTenantId in your Certificate Master settings.

• Now create the following new application settings, possibly overriding the existing ones, with the same values as in SCEPman:

1. Save the changes

2. Restart the SCEPman Certificate Master App service.

As an overview, here are the accounts used by Certificate Master and what they are used for:

Considerations when having multiple target tenants

If you want to have multiple SCEPman instances to issue certificates to different target tenants you will want to take additional configuration steps to isolate these instances from each other.

A possible concept could include a management resource group that holds a single App Service Plan that will provide the computing resource for all of your SCEPman App Services. The following points should be taken into consideration when doing this for multiple tenants:

• Each instance should have its own resource group to distinguish them

• You should create App Registrations for each instance to isolate the permissions

• The App Service Plan should be created in an independent management resource group as it is serving multiple instances

In this diagram a management tenant and its two SCEPman instances provide certificates to the tenants of Contoso and Tailwind:

Add a new SCEPman instance to an existing App Service Plan

This resource id can be found in the properties of the existing app service plan:

Create customer specific App registrations

To isolate the apps permissions you will need to adjust the post deployment command to specify custom App Registrations:

Complete-SCEPmanInstallation -SCEPmanAppServiceName "app-scepman-contoso" -AzureADAppNameForSCEPman "scepman-api-contoso" -AzureADAppNameForCertMaster "certmaster-contoso" -SearchAllSubscriptions 6>&1

This command will result in a fully configured SCEPman instance that is isolated from the prior instances. You can now go on to configure the split tenancy for this instance.

The above section regarding the Certificate Master can now be applied optionally if you want this service to be accessible from the customer tenant.