Hey fellow sysadmins,
My team is rolling out a passwordless solution across the company, using Windows Hello for Business and Passkeys through Conditional Access Policies. We're currently set up for hybrid Azure/Entra join but are transitioning to a full Azure/Entra join. Everything is running smoothly and users are thrilled with the improvements so far.
However, I'm facing a challenge with our Wireless Authentication setup. We currently use WPA-Enterprise, which still requires users to remember their passwords. To work around this, we've created a dedicated AD user for connecting passwordless devices, but I want to improve this further.
From my research, it seems like certificate-based authentication is the way to go. My manager suggested setting up AD Certificate Services (ADCS) on-premises, but I'm concerned about the complexity and management overhead it brings, especially since we're aiming for a cloud-based infrastructure.
I've been looking into Cloud PKI options, notably Intune PKI and SCEPman, with a preference for SCEPman due to its cost-effectiveness and good integration with Intune. This solution would also allow for easier management without risking the entire infrastructure.
I need to convince my manager that Cloud PKI is the best way to go over setting up ADCS. I'm curious about others' opinions on this matter. Is there a case for using ADCS here? Any advice would be appreciated.
Thanks!
2 Answers
I just went through this and we ended up choosing SCEPman. It was super easy to set up, and their docs are really helpful. I recommend trying out their trial to see if it fits your needs!
SCEPman definitely fits the bill for what you're looking to accomplish. Just curious, do you use RDP for your server management? Getting Remote Guard to work with single sign-on can be tricky, so it might not be the simplest path depending on your setup.
Yes, I use RDP to manage servers. I keep my privileged account with a complex password for security, but users don't typically need RDP access. For them, a solution like Azure Virtual Desktop might work better.