LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Generate App Registration (get Application ID)
  • Generate Secret (get Client Secret Value)
  • Configure Permissions

Was this helpful?

  1. SCEPMAN Deployment
  2. Permissions

Azure App Registration

Last updated 1 month ago

Was this helpful?

Only relevant for setups.

SCEPman needs to interact with your Azure Active Directory and Intune endpoints to provide the certificate and OCSP validation of users and devices. To provide the necessary permissions to SCEPman you need to create an App Registration within your tenant.

Generate App Registration (get Application ID)

  1. Login to

  2. Navigate to Azure Active Directory

  3. Click App registrations

4. Click New Registration and enter a name, i.e. SCEPman. For supported account type choose Accounts in this organizational directory only and click register.

5. You may copy the Application (client) ID now. The ID is important and will be needed later by SCEPman deployment.

Generate Secret (get Client Secret Value)

1. Stay within App registrations and click on Certificates & secrets

2. Click New client secret, add a description, and choose the expiration. We recommend 24 months, this helps to provide an ongoing service for two years. You can revoke a secret at any time. Click Add

3. Copy the secret value and copy it down in a secure place.

Please do not mix it up with the "Client Secret ID". We need the "Client Secret Value", here.

Copy the client secret value immediately. You will not be able to retrieve it after you leave this submenu.

Configure Permissions

Stay within App Registrations and click on API permissions

  1. Remove the default User Read permission.

2. Click on Add a permission and choose Microsoft Graph. When chosen, select Application permissions and search for directory. Add Directory.ReadAll as permission.

3. Now click on Add a permission and choose Intune. When chosen, select Application permissions and search for scep. Add scep_challenge_provider as a permission

  1. Search and add the following Graph permissions as well: DeviceManagementConfiguration.Read.All and DeviceManagementManagedDevices.Read.All

  2. Finally click on Grant admin consent and confirm the consent for the given app registration.

  1. After successfully granting the permissions you should see green status for each permission.

The app registration is done.

Create a new environment variable in SCEPman app service with the name and paste the copied application ID as a value.

Create the SCEPman setting with the client secret value.

Split-Tenancy
Azure Portal
AppConfig:AuthConfig:ApplicationId
AppConfig:AuthConfig:ApplicationKey