Currently, we see in some tenants that SCEPman is not issuing certificates for Intune managed clients.
The Problem occurs after restarting the SCEPman service e.g. to achieve a software update.
The issue may be caused by an AAD Graph permission requirement that Microsoft may have activated right now by accident (it was planned for January 2022).
Please upgrade to our latest version of SCEPman (minimum 1.7.140), which contains a new logic that does no longer require the legacy API calls. Thus, no additional API permissions are required.
For instructions on how to update SCEPman, please follow our docs at: Update Strategy - SCEPman Docs
If you are not able to upgrade SCEPman due to policy or process constraints, please follow our Alternative Solution below.
Alternative Solution (requires no update of SCEPman)
This solution does not require an update of SCEPman's application artefacts. Thus it should be implemented in environments where policies prevent an out-of-the-order update of SCEPman.
Please update the App Registration for SCEPman in Azure AD Portal.
You need to add the permission "Application.Read.All" for "Azure Active Directory Graph".
Please read carefully, the additional permission is for "Azure Active Directory Graph" not for "Microsoft Graph".
Here are the detailed instructions how to achieve that:
1. Navigate to the App Registrations in Azure AD Portal.
2. Click on the registration for SCEPman
3. Click on "API permissions"
4. Click on "Add a permission"
5. Click on "Azure Active Directory Graph"
6. Click on "Application permissions"
7. Check "Application.Read.All"
8. Click "Add permission"
9. Click on "Grant admin consent for ..."
You should now have the following status: