# Device Directories SCEPman offers two options for validating device certificates (e.g. for OCSP requests). Both directories store device objects with different IDs that are checked for existence by SCEPman: * Microsoft Entra ID (Azure AD) Device ID * Intune (Intune Device ID) Those IDs are visible in Intune per device under tab "Hardware": ![](/files/teTbC5tsqTnrS96rk69g) For recognizing the device behind an issued certificate, SCEPman requires the corresponding **ID in the subject name**: * Microsoft Entra ID (Azure AD): `CN={{AAD_Device_ID}}` * Intune: `CN={{DeviceId}}` When setting up SCEPman and certificate profiles in Intune, it is important to **decide which inventory should be used**. ### Entra ID (AAD) vs. Intune Both directories have their pros and cons. In general, we **recommend Intune** as inventory since SCEPman 2.0: * **The Entra Device ID can change during enrollment (seen on iOS/iPadOS/macOS)**:\ The Entra Device ID is set to the Intune device ID until the device is finally AAD registered. Intune already issues the certificate before the device gets its final ID. As a result, SCEPman cannot find the device in the AAD after this ID change. * **Intune is often maintained better than Entra ID (AAD)**:\ In theory, the AAD and Intune device objects are independent of each other. Deleting a device in Intune, does not delete the corresponding AAD object. In addition, Autopilot devices can only be deleted in Intune and not in Microsoft Entra ID (Azure AD). So, the certificates would still be valid. ### SCEPman Configuration SCEPman needs to know which directory/directories should be used for validation. Therefore, we offer the configuration option[Intune Validation](/scepman-configuration/application-settings/scep-endpoints/intune-validation.md#appconfig-intunevalidation-devicedirectory). Please adjust that value on your needs. {% hint style="warning" %} Note, that this requires version 2.0 or newer. SCEPman 1.x only supports Microsoft Entra ID (Azure AD) as directory. {% endhint %} ### Certificate Profiles Please also adjust the subject name on your needs as stated under [Microsoft Intune](/certificate-management/microsoft-intune.md). Please note, that `CN={{DeviceId}}` is currently not supported for Android Enterprise Fully Managed, Dedicated and Corporate-Owned Work Profile as stated in [Microsoft docs](https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile). If those device types are in use, think about checking both directories or only Microsoft Entra ID (Azure AD). For **migrating** from Microsoft Entra ID (Azure AD) to Intune ID or vice versa, **certificates** need to be **re-issued on all clients**. During that change, please configure SCEPman via [Intune Validation](/scepman-configuration/application-settings/scep-endpoints/intune-validation.md#appconfig-intunevalidation-devicedirectory) to check both directories (so, that both IDs are valid). After migration, you can switch to Intune or AAD as only directory. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scepman.com/scepman-configuration/device-directories.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.