Microsoft 365 Integration - Conditional Access

Before you begin

M365 Conditional Access requires:
  • Conditional Access, Microsoft Azure Active Directory, Microsoft Intune (to set SOTI MobiControl as the third-party compliance partner), and Azure AD - Premium 1 or higher. Compatible Microsoft license plans (download PDF) include:
    • Microsoft 365 E3, E5, F1, or F3 licenses
    • Enterprise Mobility + Security E3 (EMS E3), or E5 (EMS E5)
macOS integration requires:
  • SOTI MobiControl version 15.5.2 or later
  • macOS Agent 15.2.1 or later
  • macOS 10.15 or later

M365 Conditional Access supports:

  • Android, iOS, and macOS with Microsoft User Mode device registration. The following table shows supported platforms and ownership models in SOTI MobiControl.
    Note: A personally-owned ownership model for macOS is not supported.
    Platform Ownership Model Management Type Synonym
    Android Enterprise Corporate-owned Work managed Company Owned/Business Only (COBO)
    Personally-owned Work profile Bring Your Own Device (BYOD)
    Corporate-owned Corporate personal Company Owned/Personally Enabled (COPE)
    iOS Corporate-owned Work managed Company Owned/Business Only (COBO)
    Personally-owned User enrollment with managed Apple ID Bring Your Own Device (BYOD)
    macOS Corporate-owned Work managed Company Owned/Business Only (COBO)

About this task

Integrating SOTI MobiControl with Microsoft enables customers to grant access to Microsoft 365 apps on Apple or Android devices using SOTI MobiControl compliance policies. Use SOTI MobiControl to send the compliance status of a device to Microsoft. You can then configure conditional access policies for Microsoft 365 applications in Azure AD. Users receive access to applications based on the device compliance status.
CAUTION: An unexpected error occurs if you try integrating Conditional Access with the same Microsoft Azure AD tenant for multiple SOTI MobiControl servers.
Note: After you complete the registration process, you will see the device registered into Azure. However, it displays as "Microsoft Intune" under the MDM column. This is a known Microsoft limitation.
Microsoft Endpoint Manager Devices screen showing Microsoft Intune in the MDM column

Setting up Conditional Access for Microsoft 365 consists of the following steps:


  1. In Microsoft Endpoint Manager, configure SOTI MobiControl as the third-party compliance partner.
  2. In Azure AD, create a device-based conditional access policy to control app access based on device compliance status.
  3. Connect SOTI MobiControl to Microsoft Endpoint Manager to report device compliance status.
  4. Create and assign an app policy to install SOTI MobiControl Agent, Authenticator, or Company Portal, and Microsoft 365 apps.
  5. Create and deploy the Extensible Single Sign-on (ESSO) payload (macOS).
  6. Create and assign a compliance policy in SOTI MobiControl to report compliance status to Microsoft.

    To access Microsoft 365 Apps, the user registers the device and authenticates with Azure AD.