![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 99%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
Hello Vishal Kumar,
This is a classic certificate trust issue in mixed Azure AD environments. The internal SSL certificate for your website is trusted on hybrid-joined devices because they sync the root CA from your on-premises Active Directory (via Group Policy), but Azure AD-joined-only devices don't have that automatic trust chain since they're not domain-joined. That's why the site shows "Not Secure" on those devices—the browser can't validate the cert against the internal root CA.
Yes, this is directly related to the lack of domain join, which means no GPO for CA distribution. The recommended Microsoft approach for Azure AD-joined devices is to deploy the root (and any intermediate) CA certificates via Microsoft Intune, as it handles modern management without needing on-prem dependencies. Group Policy won't apply to pure Azure AD-joined devices anyway, so Intune is the way to go for consistency. Here's how to do it step by step:
Prepare the Certificate: Export your internal root CA certificate (in .cer or .crt format) from the issuing CA server. Include any intermediates if your chain has them. Don't include the private key—just the public cert.
Deploy via Intune:
Sign in to the Microsoft Intune admin center (endpoint.microsoft.com).
Go to Devices > Configuration profiles > Create profile.
Select Platform: Windows 10 and later, Profile type: Templates > Trusted certificate.
In the Basics tab, name it something like "Internal Root CA Trust."
Under Configuration settings:
Certificate type: Root certificate for server validation (for website trust) or also Client authentication if needed.
Upload your .cer file for the root CA.
Subject name: Match your CA's subject (e.g., CN=YourInternalCA).
Deploy to the relevant device groups (e.g., all Azure AD-joined devices).
Assign the profile to your target user or device groups, and set it to monitor deployment status.
**Verify and Test**:
After deployment (it can take up to 8 hours, but usually faster), restart devices or run `gpupdate /force` if testing manually.
On a test Azure AD-joined device, open certmgr.msc, go to Trusted Root Certification Authorities > Certificates, and confirm your CA is listed.
Clear browser cache and revisit the site—it should now show as secure.
If your environment uses SCEP or PKCS for automated cert issuance, you could extend that via Intune for more dynamic management, but for a simple internal site, the trusted cert profile is sufficient and aligns with Microsoft's guidance for cloud-only devices. Avoid manual installs, as they're not scalable.
I hope it will help you to solve the issue.
Best Regards,
Jerald Felix