<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Error while Issuing a ClientCertificate via Delegated SCEP
Oct 16, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview

The following error occurred while using the delegated Simple Certificate Enrollment Protocol (SCEP) to issue a client certificate:
 

Insufficient privileges to complete the operation.

 

Applies To
  • Okta Identity Engine (OIE)
  • Microsoft Endpoint Manager
  • Azure Active Directory
Cause

The underlying reason was the application permissions in Azure Active Directory. 

Solution

Set the Intune scep_challenge_provider permissions:

  1. Select Azure Active Directory > App registrations.

  2. Click + Add a permission.

  3. In the Request API permissions section, scroll down and then click Intune.

  4. Under What type of permissions does your application require?, click on Application permissions.

  5. In the Select permissions search field, enter scep, and then select the scep_challenge_provider checkbox.
    Add intune permissions 

  6. Click Add permissions.

  7. In the Configured permissions section, click ✔ Grant admin consent for <Tenant_Name>.
    Grant admin consent for <Tenant_Name> 

  8. Click Yes in the message that appears.


Related References

 

Recommended content

Still looking for help?
Loading
Error while Issuing a ClientCertificate via Delegated SCEP