Microsoft Entra ID (Azure AD)

These settings should only be applied to the SCEPman App Service, not the Certificate Master. Please refer to SCEPman Settings.

AppConfig:AuthConfig:ApplicationId

Linux: AppConfig__AuthConfig__ApplicationId

The Application (client) ID from your Microsoft Entra ID (Azure AD) App registration. This setting is configured during the setup.

AppConfig:AuthConfig:ApplicationKey

Linux: AppConfig__AuthConfig__ApplicationKey

The Application Key (client secret value) from your Microsoft Entra ID (Azure AD) App registration. This setting is configured during the setup of a SCEPman 1.x version. SCEPman 2.x usually does not use this setting and instead relies on Managed Identity authentication.

AppConfig:AuthConfig:TenantId

Linux: AppConfig__AuthConfig__TenantId

The Microsoft Entra ID (Azure AD) Tenant ID. This setting is automatically configured during the setup.

AppConfig:AuthConfig:HomeTenantId

Linux: AppConfig__AuthConfig__HomeTenantId

When running SCEPman in a different tenant than Intune, this specifies the Id of the tenant hosting the SCEPman Azure resource, while AppConfig:AuthConfig:TenantId specifies the tenant of Intune. In this case, you cannot use the more convenient authentication based on Managed Identities, but must use authentication using an Azure App Registration and a Client Secret.

AppConfig:AuthConfig:HomeApplicationId

Linux: AppConfig__AuthConfig__HomeApplicationId

This setting is only used for situations where SCEPman runs in a different tenant than Intune. The HomeApplicationId specifies the application ID of your scepman-api app registration in the tenant where the SCEPman and Certificate Master App Services run. AppConfig:AuthConfig:ApplicationId and AppConfig:AuthConfig:ApplicationKey specify the application ID and Client Secret Value, respectively, of the app registration in the tenant where Intune runs.

AppConfig:AuthConfig:ManagedIdentityEnabledOnUnixTime

Linux: AppConfig__AuthConfig__ManagedIdentityEnabledOnUnixTime

The time as Unix epoch when the required permissions to the Managed Identity were granted. SCEPman acquires a token using the Managed Identity only after a short delay (60 seconds in SCEPman 2.0) after this time, because only then do the roles in the token reflect the correct permissions added by the CMDlet. The tokens are cached for 24 hours with no way to force refresh the cache, so if you added a permission after SCEPman has acquired a token, you need to wait up to 24 hours until SCEPman can use this new permission.

Last updated

Was this helpful?