When the Microsoft Cloud PKI was first released, deleting CA’s was not simple. There was no functionality built in yet to the Intune admin portal and you had to use Microsoft Graph to delete CAs that you created either for testing or those that you created with inaccurate settings. The permission to use Microsoft Graph was soon removed once it was identified that objects were being left behind (stranded) in the directory and the official guidance was to raise a support request with the Microsoft Intune team, which took no longer than 1 week during my testing.
In this article, I will show you how to delete Cloud PKI CAs in Microsoft Intune.
Microsoft Intune: Revoke and Delete Cloud PKI Certification Authorities
Feature ID 399930 on the Microsoft 365 Roadmap highlights that you can now revoke and delete certification authorities in Microsoft Intune.
Requirements
To delete Cloud PKI certificate authorities in Microsoft Intune, you must have the Intune Administrator role assigned if you are using the Microsoft Intune admin portal.
Or, if you need to programmatically delete CAs using Microsoft Graph, then you need to consent to the DeviceManagementConfiguration.ReadWrite.All permission with a Global Administrator and have the Microsoft Graph PowerShell SDK installed.
Delete certificate authorities with Microsoft Graph PowerShell
Using Microsoft Graph PowerShell is the quickest way to delete Cloud PKI CAs in Microsoft Intune. Follow the below steps to delete a specific CA using PowerShell.
Connect-MgGraph -scope DeviceManagementConfiguration.ReadWrite.All
2. Find the CA you wish to delete by filtering for the name using Microsoft Graph.
$filter = "`$filter=DisplayName eq 'DemoCA1'"
$ca = Invoke-MgGraphRequest -Method GET `
-URI "/beta/deviceManagement/cloudCertificationAuthority?$filter" `
| Select -ExpandProperty Value
3. Delete the saved CA with a DELETE request.
Invoke-MgGraphRequest -Method DELETE `
-URI "/beta/deviceManagement/cloudCertificationAuthority/$($ca.id)"
Delete certificate authorities from the Microsoft Intune admin portal
Unfortunately, the admin portal has not yet been updated with the functionality to delete Cloud PKI CAs. Once the portal is updated, I will update this guide to reflect how to use the Intune admin portal to delete CAs.