Microsoft
MicrosoftDoes SCEP certificate profiles with SAN URI {{OnPremisesSecurityIdentifier}} currently work for anyone in SCEP certificate deployments? We have configured a SCEP user certificate configuration profile to test the deployment, but the certificate profile does not deploy any SCEP certificates, if it includes the new SAN with this URI and there are no events of any requests happening in Intune Certificate Connector or AD CS logs. If the SAN URI is removed from the SCEP profile without any other changes, a SCEP certificate deploys without issues during next synchronization, so our infrastructure is working correctly. Also checked that onPremisesSecurityIdentifier exists for the test user (and Entra hybrid joined devices). Updating the Intune Certificate Connector to version 6.2406.0.1001 and adding the PKCS configuration specific registry key to test, if this is undocumented requirement also for SCEP, also do not have any effect on this.
The link for object synchronization documentation in the blog is about how objects sync from Entra ID to Entra Domain services, but most hybrid organizations are probably more interested in if any synchronization changes from on-premises Active Directory to Entra ID is required for SCEP cetificates to include the new SAN URI. It seems hybrid objects automatically have objectSid synchronized to onPremisesSecurityIdentifier attribute, but objectSid is also an available directory extension in Entra Connect.
