Hello and welcome to the let's Talk. Azure podcast with your hosts, Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals.
It's episode 13 of season five. Sam and I had a recent discussion around Microsoft's new cloud PKI service, a service that allows you to manage and deploy device and user certificates from intune. Here are a few things we covered. What are user and device certificates and how are they used? How is a PKI solution normally managed? What is Microsoft's cloud PKI and how much does it cost?
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey, Alan, how are you doing this week? Hey, Sam. Not doing too bad. Busy week as always. How about you? Yep.
It seems like there's, you know, lots of activity in the, should we call it the sphere of Microsoft? I don't know, it's, yeah, it seems like, yeah, it's just hot with, you know, new releases, updates, the, you know, the, the AI mill turns, you know, cloud doesn't slow down either. You know, there's just, yeah, new, new updates and changes. I think it's just, I think we said it on our last episode, the amount of just updates we had, you know, when we did our end of month, you know, review, I think that just really shows sort of what's going on in the place. I mean, I think a big focus for us has been copilot for security that landing in the first week or so of everybody at least publicly talking about the product and starting to use it. So yeah, there's been a lot of hive of activity in and around that.
Yeah, definitely cope out for security has definitely been out there being talked about a lot. Yeah, yeah, no, definitely. And you're right. Yeah. I think there's a load of features updates already that have come out this month that, you know, want to talk about. But, you know, we'll wait till our, our news episode in a couple of weeks. Yeah, yeah, exactly. Yeah, yeah, yeah, yeah. It's been busy. It's definitely been busy in the Microsoft world.
Yeah, no, it's really good to see as well. You know. You know, I, you know, you definitely can't fault Microsoft for the amount of money, you know, and effort people that they actually, you know, put behind their products. Right. I know, I know a lot of other vendors do as well. I'm not, I'm not, you know, sort of discrediting anyone else, but you know, the amount of, I don't know, the amount of just effort and time that goes into some of these products and their updates is just. Yeah, it's crazy. It's like in another level in there.
Yeah. I guess it's because of the amount of areas that Microsoft are in. Yeah. That we see. It seems like a lot of change, I guess, you know, because, you know, think there's probably for a single product or solution there might be what, 4567 changes maybe throughout the year. But times that by, I mean just in the security space, times that by six 7810 products, it just seems, you know, it just seems like, you know, there's a lot of, you know, development there.
Yeah. And when, when like one of your products is like entra as an example, you know, that's, you know, that's like a, well that is actually a family of products. Right. You know, I suppose I talk about entraid, but you know, even, even with, inside of that it's just. Yeah. Product after product, do you know? I mean, so, yeah, no, really good to see. What are we talking about this week, Alan?
So we're going to talk about public key infrastructures, PKI's and Microsoft's cloud. PKI they released a couple of months ago now I think it is. Okay, cool. Yeah, sounds like a good one. So yeah. Should we just sort of start from, you know, the basics really well? What is PKI? What does it stand for? Yep.
So I kind of alluded to it just a minute ago, but it's public key infrastructure. This really is a PKI is a system that uses digital certificates to, you know, to authenticate and encrypt data between your device and services. So in the world we might know this as the certificates that are on websites, the HTTPS Cert, so that it can encrypt the data between your web client and the server. So this is, there's probably a couple of ways to look at this that, you know, you have your public ones which are out on the Internet, but the services are there on the Internet for you to verify the certificates. And normally you have to pay, you purchase those services to be able to then it to be validated against your browsers because your operating systems in effect have a subset of trusted certificates. They pull down onto your systems and then you trust them. The other part to it is really probably just sort of using it internally. Maybe you've got internal websites that only you want to trust or maybe there's ways to communicate with your service there. So probably at a high level that's probably, you know, that is what it is. It's really certificate management, how they get created, how they get deployed. They're very sensitive because if people, you know, the private keys of the public keys is captured then you know, the person who's got the private key can then create new keys and seem legitimate. I guess there's been a few. Has there been one or maybe two instances of public keys being taken? I think there was probably one quite a while ago now. Can't remember who it was but yes. So there's a lot of security around them, making sure they're maintained and things like that.
Okay. So yeah, so how is it normally sort of deployed and managed? I assume in large organizations this is a large issue and that there must be a solution out there today to, to help you with it.
Yeah, so I mean like we were kind of saying with the public certificates, you know, things like, you know, as an example, as a provider let's encrypt, you know, they look after it and all you have to do is request certificates from them and they do the signing. Same thing with some of the other providers like I think GoDaddy does some as well and there's a few other sort of providers out there but from a proper private PKI perspective. So there are various sort of solutions. I think you, again I'm not obviously the Microsoft world but I think there is some PKI services that you can run on Linux sort of operating systems but from a Windows perspective which is I think the most I've seen it being used, at least in an organization you can use it. It's normally deployed using active directory certificate services. So normally you have to have to have a domain, you create these services and normally you have a, in a best practice perspective you normally have a root certificate PKI and then you have an intermediate one which is the one that actually releases the, that communicates with requests and things like that. Now I think normally the root Sifka is normally turned off, shut down once you generate the key so no one can attack it. Try and get the root certificate because this could be potentially access to services that you have. So you're protecting it there but generally you have the intermediate there with certificate templates and normally then you're distributing those certificates out to users or devices to then be them, for them, to then use them against services. You can once I said devices, it could be against a server as well, as well as, you know, a user endpoint. So that could be for an internal service so you can communicate with it securely there. Generally with active directory certificate services.
There.
Is normally a template for devices that you tend to roll out to every device anyway, so there's better communication there. So it's generally sort of sorted. But then if you wanted to deploy to other non Microsoft endpoints, so say iOS and Android potentially could kind of talk to it directly, but it would be quite difficult to do. So you can do that with intune and deploy a NDES server or a PKS service, I think it is in effect then intune can go and request it for on behalf of the device and then deploy it for you. So that seems relatively okay. It can be semi, I say semi easy to set up and get going, but actually securing it, making sure that you're dishing out the right certificates, that you've got the control, the security controls in place, and maintaining it can be quite, quite a lot because in effect if any of these servers crash, died, aren't backed up, then all of your certificates in effect are, then you can't create new ones, you can't revoke them and then they can't also be validated because sometimes you need to go back to the route to those certificate servers to validate. So when you lose one of these servers it's very, you know, can break a lot of communication within an organization if it's heavily used. So, so yeah, there's a lot of maintenance around them, make sure they're healthy, they're up to date, you know, sometimes even patching or generally, you know, organizations might not, they will patch the servers but they're a bit more cautious around it. But say that you're moving from, you know, the next version of operating system because you've had it for five, six, 7810 years, et cetera. It's very difficult to plan and maintain that sort of migration up to the next operating supported operating system. So yeah, it's quite a lot there. I mean I've not, from an active directory certificate services, I've sort of used it as a, I guess as a consumer of it, as an admin, I've probably not done that, maintaining part of it, but I know a colleague of ours has done that and has had to maintain it and it is.
Can. Be challenging and it's very. You have. To be very cautious around, you know, making changes to it or upgrading it etcetera. Yeah. When you've got such a, I'll call it a critical service. Right.
I assume it's ranked in that at that sort of level in organizations, you know, for its sensitivity and also the reliance of other, you know I suppose once key, once certificates are generated though I suppose it's only at the lifecycle events that that becomes an issue. Is that, is that fair to say once you, once you've deployed them? But I suppose it's still, yeah, it could still wreak havoc if you, you know, if you had that type of scenario.
It depends. Yeah, it's the renewal of the, you know, the actual trusted certificates, either the root or intermediate just be done after x years depending on how often you set it to expire. And then yeah, as you're, as you said you then got the user device part but yeah you're right, it's more around the renewals and maybe the creation where the most issues are or the expiry like I said of the root or intermediate certificates. But sometimes if you do have revocation sort of URL's hosted on that on the same servers and there may be some services out there that require that to validate that the certificate is still valid, then that can also cause an issue.
And do you have to, do you need like high availability for these, you know, this type of service? You know, does it, does it tack alongside your like you know, the windows environment, you know, your domain controllers, is it like usually on the same box? Is it extra infrastructure that you need to run this type of stuff?
So it's normally recommended to not put with the domain controllers as in on the same machines, you know technically it can be installed on the same machines but like I said generally you know, have the root CA turned off so that the route can't be taken because at least then if the intermediate goes down the route CA is still trusted. So if you spin up another intermediate server at least you can start dishing out new certificates you know, in the meantime. But they can't be, they are individual servers there. You can't have like horrible bits. You can't have two servers you know, named the same dishing out the same types of certificates as far as I'm aware. Anyway normally you'd have for availability you'd have your single root CA and maybe two intermediates, both you know, intermediate one and intermediate two with the ability for either of them to distribute certificates. And then the endpoints would choose one to get a certificate from it, which one, you know, they decide which one to get it from. So if one wasn't available, then the other one would continue. But, yeah, you can't put them in, you know, active standby or anything like that.
Okay. Yeah. So that's why. Yeah. Yeah. So you've got, you've got sort of, sort of a critical part of your security, you know, posture. You, you need separate, you know, you need separate machines, separate infrastructure, somebody to manage them, you know, somebody that understands as well, you know, how all of these things work together, I suppose. Right. But I'm guessing that's what, you know, it teams sort of deal with on a day to day basis. I guess it's just part of business as usual. Yeah.
And as we're kind of saying, there's a lot of maintenance there, so small businesses tend to not have that, you know, available to them. You know, some, you know, some organizations have active directory. I mean, we do see small organizations have that because it's sort of the norm to have maybe in the past, maybe in today's, I say today's world, but, you know, the current, you know, current times, you might, you know, use, you know, cloud based machines now, but you can't, you know, those device can still get certificates, but there has to be a domain somewhere where they can request them via the intune plugin in effect. But it does have to know who they are. But yes, small organizations don't really have the chance to use it and maybe have that little bit of extra security simplicity in there, managing how they access services that they have.
Okay, that's sort of. Okay, that's great. Why do organizations create these certificates internally? What are they used for?
So it's mainly to communicate with other endpoints. And as Kanye said, PKI is around encrypting data between services and devices. So this could be to do a certificate based authentication or communication, at least with an SMB share against a web service. And really the, the way that I've seen them being used is to access Wi Fi and VPN's. So Stevin, the user is kind of a semi passwordless authentication in some form against Wi Fi and VPN. So you can use a 121 x on Wi Fi. So that means that it does, it backs, you know, the Wi Fi backs onto a radiuser which checks certificates, basically. Basically. So the device has certificate. It means it's a trusted device. When it communicates, it then does that check and then allows you onto the network. This means that you don't need to have a pre shared key on that Wi Fi, you know, so it's not something that can be stolen. You know, shared out between, you know, non, non, you know, company, you know, people, you know, maybe guests, things like that. They don't know, they can't just connect to it. So it's quite a key security feature there. And same thing with VPN, you know, you don't have to type a username password on a device and then access it, you know, in theory with username password. I mean don't get me wrong, there's other checks that can go in place, but you know, if someone installed the, the VPN client that you need to use on, on a normal machine that's not a managed device and type, they use their password in with the, you know, with the right connection they need to get to, then they could, you know, in effect join that device to your, to your, to your network and then start accessing stuff that maybe they shouldn't or you know, start looking for vulnerabilities in the, in the environment. So by having a certificate that's only deployed by trusted services like the, the domain controllers were not necessarily domain controllers, but the PKI servers and on your network then, you know, it's a way of proving that's a trusted device. And then when you go to, to intune in iOS and Android, same thing happens that you can choose to say that they're trusted devices. So it's very, you know, we see it a lot being used in those spaces mainly for Wi Fi and VPN's and then potentially other services like SaaS services. So say if you're going through, if you're using something like Microsoft Defendant for cloud apps, MDA, one way to detect that a device is trusted is by presenting a trusted certificate. So you put the root key, the public key of it at least into MDA, and then it trusts any certificates then against that. So then you can decide you prove out devices is an internal one or a trusted device at that point. Yeah, as far as I'm aware. I think you can use it for actual websites, things like that. I think actually with some, I remember it in the past that.
You can. Get say, I think it was like with stockbrokers, things like that. I think sometimes they give you a, from their system, you install a user certificate onto your machine to actually access their services. So you can't just go to any machine, you can, you only get it once. If you need to redo it, you have to go through a rigorous security check to get another certificate. I've seen that in the past, maybe not as much today, maybe because there's other controls, but definitely in the past.
Okay. So yeah, obviously a key sort of security element, but also you know, those upsides of giving you extra protection do come with some downsides you know, and having to manage it. And I suppose that segues us nicely on to. Yeah, what is Microsoft's cloud PKI service?
So Microsoft cloud PKI service is pretty much what it sounds like in that they allow you to deploy in effect your, your PKI server and services in the cloud managed by Microsoft and then you can easily distribute them using intune to your, to your endpoints. So this is that you're able to deploy your root certificate, put all your information in there about the name of it, its location, things like that. As you would normally your encryption, what you know, what level encryption you want it to be able to distribute and how, how long the certificate, you know, lasts. Is it 510 15 I think maybe even 20 years on the, on the root certificate, the actual Root CA certificate authority. And then you can build your intermediates or your issuing certificate service and then they're in effect they're running secured, updated, you know you don't see that part, you just see them as sort of instances in the intune portal and I mean you can start setting up within 1520 minutes to be fair once they've get up and running and then you can start building your policies in intune to then start distributing the root stiff cut just so the device can trust it. And then you can start setting up the endes configuration in there to then start deploying them to your endpoints and they just started appearing so within probably I don't know if you knew exactly what configuration you wanted. I think you could probably get us up in about an hour, hour and a half's time ready to start deploying certificates.
Wow that sounds, yeah, a lot easier than having to manage and I suppose is there just a shift of having a need for this type of service when you are starting to move away from on premise infrastructure? Is this now a gap, companies currently having to put these servers into Azure as an example? And this is why this exists. Yeah.
So if you're staying with Microsoft PKI side of things then you still have to have active directory, you still have to have then those root cas and everything even doesn't matter if it's on premise infrastructure or in Iaas, it's still technically I guess in the term of on premises premise sort of virtual hosting. But I think this is the sort of a move to allow you to in effect remove that service from active directory to slowly start having that reliance on it because we're seeing a lot of devices now or communication recommending that devices are now enter joined rather than hybrid joined because there's enough now there's enough capability now out there that they can be enter joined and still communicate with active directory or majority of active directory services that or authentication there where a user's being synchronized up to entra. So this is just taking one of those services away. And I think a really big benefit of this is that any small business can now have a PKI service for their VPN, for their Wifi one, enhancing their security, but on the second half making the user experience a little bit better because now the user doesn't have to type in their username password. So it's bringing in a little bit more of that passwordless authentication in some form. So it's really, it's very good. And one part of it is that you can, if you wanted to, you can bring your own route in effect certificate and just use the intermediates to distribute the certificate so you can.
Get.
It to sign the issuing server certificate authority back down to a root cause. Maybe you've got on premise because you want it to back that, you know, maybe you want it to back onto that so that you own the, the root CA and not. Yeah, it's not hosted in the same, the same place. So there is that option as well. One thing that's good about this as well is it's all HSM backed, so it's all hardware managed by Microsoft. HSM sort of clusters in the background are being used to, to create the certificates for you. So sometimes there is a regulatory compliance there to have HSM backed or hardware backed PKI services, that's just part of this service. You don't pay any extra for that.
Nice. And you mentioned intune. Is that a hard requirement for this service? Would there be no point in using it in any other way?
Yeah, so as far as I'm aware you can a read, use it to deploy certificates to, you know, endpoints, things like that. So if you did need certificates on servers or they need their individual, you know, server certificates, you would still have to have an on premise PKI service. But then I guess generally domain, not domain controls, but generally servers might be part of a domain anyway until, you know, so we get more familiar with entry joining them, which I think can only be done in Azure at the moment. So. So yeah, it's, it's really isune. It is part of the intune. I mean we're kind of going into the next. What I was going to talk about in a minute, but it's part of the intune suite, so you still need, you know, intune plan one, but you can buy it individually or it can be part of the intune suite now. So if you've already got that, then you've already purchased it in effect.
Yeah. Do you want to just talk through pricing? Yeah.
So it's a per user, per month license and I believe it's $2, $2 a month. So for a small organization, that seems quite compared to having hosting a server server or maybe two servers plus maintaining it seems really reasonable there for small and medium business, obviously as it scales up to large organizations, that might not necessarily, I guess, be on par with an on premise sort of service from a cost perspective, but at the same time you're not managing it, you not have to worry about it. So I think there's a bit of sort of thought around that and I guess as well, if you do decide to buy the intune suite and all the rest of the services, then it might be something that it'll be cheaper per user. In effect, if you break down those, those, that suite into the various, like for me, different features are in there. I think it works out a lot cheaper then if you're buying, if you're using some of the other services. Yeah.
For organizations, it's always going to be to look at sort of total cost of ownership. Right.
You know, and add that into their business case. You know, like you say, if you've got hundreds of thousands of users, you know, you might be at a scale where actually it makes a little bit more sense, you know, to be managing yourself. But like you say, the, you know, the median size business is not that size of business, you know, so it's, it's definitely going to be useful for. Yeah. A lot of organizations. Yeah.
And you might, you might be on a, you might have a roadmap that you're looking to remove your on premise infrastructure. You might be looking to remove. On.
That journey, to remove active directory and then move to entry only because the services you are using are all cloud only. Maybe you don't have much on premise infrastructure at the moment. Maybe you don't have many servers, maybe it's all SaaS services that you're using, but you've got active directory because that's where you started, you know, with and that. So maybe you're on that journey and actually just want to, you know, it's a, it's a, you know, price to pay I guess, to doing that per se. But then you haven't got managed to hit all those other servers and everything else, let alone the hardware they sit on and things like that. But I mean there are other. Yeah, there are other clouds PKI services out there. I can't think of the top of my head what they are, but there's a couple out there today. But I expect they're a similar sort of cost to this. But this is all sort of baked in into your intune where you're managing all your devices anyway. So it kind of just fits in there. And as I said, it's relatively easy to set up as far as I'm aware. I think you can have up to six sort of six services in there or certificate authorities. So that could be you know, one root certificate authority and then two issuing maybe two, you know, two sets of those. Because maybe you want to have a different certificate for a different service and they distribute that certificate out to certain users to maybe segregate some of the, some of the environment or some of the. Some of the users out there.
Or. Yeah, in effect have a combination of all. Yeah. Of six basically. So I think the point max you have is three routes and three issuing servers kind of thing. Not unless you're using your on premise root cas to. To do the backing of the issuing servers. So. Yeah. Cool. Thanks Helen. Yeah, sounds like a really good service. Any other points you want to talk about or discuss?
I guess the only thing really is that because it is only $2 per user per month, it's quite easy to get started because you can only buy a couple of years licenses and then get it all sort of spun up and tested and proven out before you, you know, you purchase either the suite or the, you know, the remaining license for your users. And there are trial licenses as well, as far as I'm aware there is at the moment at least. So you can you get onto it and, and test it out and see if it works for you, make sure it works with your, you know, your. Your VPN and Wi Fi solutions, things like that. But yeah, that's probably. Probably it for me.
Cool, thanks, Alan. Any other episodes that are similar to this one? I think it's quite unique, isn't it? Yeah. Yeah, no, I don't think it probably only be an in tune one, but that was probably a couple of seasons ago. I mean, I can't believe we're on episode 13, to be honest, of this season. That sounds gone. Yeah, exactly. Consistent uploads. That's. That's how we get through them, that's for sure. Yeah. Yeah.
No, that we've had, we've done some, you know, intune related episodes, so probably worth checking those out if you don't know too much about intune itself. But yes, probably. Probably it. So what's our next episode then, Sam?
Yeah, so next week I'm going to be covering Azure backup, not possibly the most glamorous service in Azure. I suppose it depends who you talk to, but definitely a key part of anybody's cloud infrastructure. So, yeah, I'm going to take us through Azure backup, what it can do, how it sort of helps you streamline your backup process. Yeah.
Okay, cool. Sounds good. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps us to reach out to more people like you. If you have any specific feedback or suggestions, we have a link in our show notes to get in contact. Yeah. And if you've made it this far. Thanks very much for listening and catch you on the next one. Yeah, thanks. All.