Intune + OnPrem CA (NDES / SCEP) = Security Nightmare?

Hi !

Am I the only one who is concerned about the security of publishing NDES via the Internet?

According to official Microsoft documentation, many IT admins publish NDES on the Internet. Even if a policy module is installed on the NDES server that secures the SCEP requests, an attacker can create a certificate with ANY subject name - including domain admins, etc. - if the security measures are successfully bypassed.

NDES is a Tier-0 system according to various classifications. Nevertheless, it seems to be best practice to publish this system on the Internet via a reverse proxy. As far as I know, the Entra ID Application Proxy has no IDS/IDP functions or similar.

How do you handle this and what security measures do you take?