Enrolling Windows Modern Devices with Azure Active Directory Join
Before you begin
- You must have an Azure Active Directory (AAD) Premium P1 license. You can check your license status by logging into the Azure portal, then selecting .
- You must have the following licenses: Azure user license of F3, Office 365 Business Basic, Office 365 Business Premium.
Check the Microsoft 365 Enterprise Licensing Resource for more information.
About this task
This procedure details the steps to configure Azure Active Directory (Azure AD) to enroll Windows Modern devices into on-premises SOTI MobiControl using the Azure Join enrollment method:
Verify Domain in Azure AD
Procedure
- From Azure AD, select .
-
Copy the following values and provide them to your domain
Administrator:
- Record type
- Alias or host name
- Destination or points to address
- TTL
Create and Configure the On-Premises Application in Azure AD
Procedure
- From Azure AD, select Mobility (MDM and MAM), then click Add application and select On-Premises MDM application.
- Provide a name for the application and click Add.
-
If the Microsoft Intune app is present under SOTI MobiControl On-Premises app you created.
you need to disable it so it does not interfere with the
- On the Configure screen set the MDM user scope to Some or All. If you select Some, you can specify which user groups to include.
- Update the MDM terms of use URL with the DMA of your SOTI MobiControl instance. For example: https://DMA/FederatedEnrollment/TermsOfUse.svc/TermsOfUse
-
Update the MDM discovery URL with the DMA of your
SOTI MobiControl instance. For example:
https://DMA/FederatedEnrollment/Discovery.svc
Note: You can find the DMA address in the SOTI MobiControl Admin Utility's Deployment Server tab.
-
From Azure AD, select App Registrations, then select
the new On-Premises app. Click the Application ID URI
in the top right and edit the value with the DMA of the SOTI MobiControl instance.
-
From Azure AD, select
.
-
Select Application permissions and add the following
permissions:
-
Select Delegated permissions and add the following
permissions:
-
Click Grant admin consent for <Tenant Name>. The
status for the permissions should be listed as Granted for
<Tenant Name>.
- From the current screen, select Manifest.
-
Ensure that the value for
groupMembershipClaims
is set to"SecurityGroup"
. -
Ensure that the
identifierUris
is set to the value you entered in the Application ID URI from the App Registration step.Note: IfgroupMembershipClaims
is not set to"SecurityGroup"
, verify that the Application ID URI is set correctly. If it is set and thegroupMembershipClaims
value is still not appearing as expected, enter the following and click Save:"groupMembershipClaims": "1",
Reopen the Manifest and the
groupMembershipClaims
should be set to“SecurityGroup”
as expected. - From the current screen select Certificates and Secrets, then click New Client Secret.
- Enter a Description for the secret and set an Expiry, then click Add.
-
Copy the value immediately and save it in another text file for future
reference.
Note: The value will be masked and you will not be able to read it again.
Configure SOTI MobiControl Tenant Configuration, On-Premises App Configuration, and Add Devices Rule
Procedure
- Log into SOTI MobiControl as an Administrator.
- Select Global Settings from the main menu.
- From the Settings tree on the left, select .
- Add an Azure Directory.
- In the Azure Directories screen, provide a name for the Azure Connection.
-
In the Azure Tenant ID table click
Add, then perform the following actions:
-
From the same screen in SOTI MobiControl, click
Add in the Application
Names table, then perform the following actions:
- Click Save to save your Azure configuration.
- In SOTI MobiControl, select Policies from the main menu, then select tab. Right-click the Add Devices folder and select Create Add Devices Rule.
- Enter a Name for the rule, then click Next.
- Under Enrollment Options select Based on User Group Membership, click Next.
- Under Group Mappings, select your Azure connection in the In: box.
- Type the name of the Azure AD group you want to pull members from to be enrolled into SOTI MobiControl into the Search field and click Add.
- Map the Azure AD User Group to the SOTI MobiControl Device Group.
- Click Next, then click Next in the Authentication tab.
- Upload your terms and conditions in the Terms and Conditions tab. Click Next.
- In the Device Name tab, you can update the name of your devices. Click Next.
- Click Finish to save the Add Devices rule.
Enroll Windows Modern Devices
About this task
At this point, Azure and SOTI MobiControl are configured. Devices are ready to be enrolled into SOTI MobiControl using Azure join.
Procedure
- On the Windows 10 device, navigate to Connect. . Click
-
Enter the user Email address and
Password.
The terms and conditions from the add devices rule appears.
-
Accept the terms and conditions.
In SOTI MobiControl you will be alerted that a new device has been enrolled. The device is now enrolled into SOTI MobiControl.