Azure has really taken off – unless you’ve been hiding under a rock somewhere, you’ll know that Infrastructure as a Service in particular has proved extremely popular amongst all sorts of organisations. Platform as a service has been gaining some traction of late, but I am seeing organisations transform their infrastructure and businesses through the use of IaaS right here and now. But lately, I’ve been feeling somewhat frustrated that we couldn’t move some key workloads in to Azure – and the one that really got me was AD Certificate Services – given that it appears Windows 10 with Credential Guard seems to break 802.1x auth with MSCHAPv2, certificate based authentication mechanisms such as EAP-TLS look like becoming increasingly prevalent in the future – and rightly so. Also, given that Intune and NDES provides a fantastic mechanism for deploying certificates to devices, it pained me that we just couldn’t find a definitive statement of support for ADCS in Azure. I knew I could install Certificate Services in Azure and I could see that it worked, but I just couldn’t get the definitive support statement I needed.
Anyway – as my frustration grew, I took to Twitter to get some answers. One of the people I got in touch with was Mark Cooper (@PKISolutions), who in the ADCS team at Microsoft for 10 years, supporting some of the largest Enterprise customers in the world. He has also written a number of Microsoft sponsored Whitepapers, including Hardening NDES for Intune & ConfigMgr. Mark immediately responded claiming that it was supported – after all, it was just another role in Windows Server. Normally, I would agree with such a statement but this article https://support.microsoft.com/en-gb/kb/2721672 always proved my stumbling block. If Microsoft was willing provide definitive statements around so many of the Windows Server roles – why not ADCS? I queried Mark – and after a short time, he replied stating he had been in touch with the ADCS PM in Microsoft who agreed that ADCS was supported and who, on the back of this contact has asked for the support article to be amended! Superb! This is such great news for those looking to migrate to Azure IaaS and for anyone looking to secure their infrastructure using certificate based authentication. Thanks to Mark for his help!
So just what is supported? Well – right now the article hasn’t been updated (let’s hope it is soon!) – so we’ll hold back on stating anything explicitly, but we’re hopeful that the article will be updated shortly and we can provide customers with a definitive statement of support for this service in Azure. We expect that the recommended scenario will involve having an on premise Hardware Security Module with a cloud based Certificate Authority.
Definitely one to keep in mind as you continue on your cloud journey.