Azure AD Application Proxy and NDES/SCEP with Intune

SDS 216 Reputation points

Hello Team,

following this Microsoft Learn guide

to configure an Azure AD Application Proxy (to support an internal NDES and Intune Certificate Connector) will leave you with an IIS default page which is accessible from the internet. The certsrv/mscep/mscep.dll shows 403-Forbidden Message. Both is expected.

But what can I do to harden IIS? Are there any best practices? My first thought was just to publish the url with certsrv/mscep/mscep.dll and not just https://server.domain.tld

You can only use "Passthrough" in Azure AD App Proxy as it is the only way SCEP will work.

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,447 questions
{count} votes

1 answer

Sort by: Most helpful
  1. WalBenk 0 Reputation points

    Hi all,

    I'm preparing a Poc for CA implementation and want to know the best practice of installing "Azure AD Application Proxy Agent". It should be on a separate server/VM (1) or could be installed on NDES server (2)? pro/cons ?

    Thanks in Advance


    User's image