How to delete Cloud PKI CAs in Microsoft Intune

When the Microsoft Cloud PKI was first released, deleting CA’s was not simple. There was no functionality built in yet to the Intune admin portal and you had to use Microsoft Graph to delete CAs that you created either for testing or those that you created with inaccurate settings. The permission to use Microsoft Graph was soon removed once it was identified that objects were being left behind (stranded) in the directory and the official guidance was to raise a support request with the Microsoft Intune team, which took no longer than 1 week during my testing.

In this article, I will show you how to delete Cloud PKI CAs in Microsoft Intune.

Microsoft Intune: Revoke and Delete Cloud PKI Certification Authorities

Feature ID 399930 on the Microsoft 365 Roadmap highlights that you can now revoke and delete certification authorities in Microsoft Intune.

Delete Cloud PKI certificate authorities
Delete Cloud PKI certificate authorities

Requirements

To delete Cloud PKI certificate authorities in Microsoft Intune, you must have the Intune Administrator role assigned if you are using the Microsoft Intune admin portal. 

Or, if you need to programmatically delete CAs using Microsoft Graph, then you need to consent to the DeviceManagementConfiguration.ReadWrite.All permission with a Global Administrator and have the Microsoft Graph PowerShell SDK installed.

Delete certificate authorities with Microsoft Graph PowerShell

Using Microsoft Graph PowerShell is the quickest way to delete Cloud PKI CAs in Microsoft Intune. Follow the below steps to delete a specific CA using PowerShell.

1. Start by connecting to Microsoft Graph PowerShell with the required permissions.
Connect-MgGraph -scope DeviceManagementConfiguration.ReadWrite.All

2. Find the CA you wish to delete by filtering for the name using Microsoft Graph.

$filter = "`$filter=DisplayName eq 'DemoCA1'"

$ca = Invoke-MgGraphRequest -Method GET `
-URI "/beta/deviceManagement/cloudCertificationAuthority?$filter" `
| Select -ExpandProperty Value

3. Delete the saved CA with a DELETE request.

Invoke-MgGraphRequest -Method DELETE `
-URI "/beta/deviceManagement/cloudCertificationAuthority/$($ca.id)"

Delete certificate authorities from the Microsoft Intune admin portal

Unfortunately, the admin portal has not yet been updated with the functionality to delete Cloud PKI CAs. Once the portal is updated, I will update this guide to reflect how to use the Intune admin portal to delete CAs.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply