Creating and Configuring the On-Premises Application in Azure AD

Before you begin

Complete the steps in Verifying the Domain in Azure AD.

About this task

Configure your On-Premises application and ensure there are no conflicts with Microsoft Intune.

Procedure

  1. In Microsoft Entra ID/Azure AD, navigate to Mobility (MDM and MAM).
  2. Disable the Microsoft Intune app if it is present under Azure AD > Mobility (MDM and MAM).
    Note: You must disable Microsoft Intune to prevent interference with your SOTI MobiControl On-Premises application.
    1. Select the Microsoft Intune app.
    2. Set the MDM user scope to None.
    3. Set the MAM user scope to None.

      Microsoft Intune configuration in Microsoft Entra ID/Azure AD
  3. Select Add Application then Create your own application. Give your application a name then select Add.
  4. Set the MDM user scope to Some or All. If you select Some, you can specify which user groups to include.
  5. Update the following fields with the DMA of your SOTI MobiControl instance:
    • MDM terms of use URLhttps://<DMA>/FederatedEnrollment/TermsOfUse.svc/TermsOfUse
    • MDM discovery URLhttps://<DMA>/FederatedEnrollment/Discovery.svc
    Note: Find the DMA address in the SOTI MobiControl Admin Utility's Deployment Server tab.

    DMA configuration in Azure AD.

  6. From Azure AD, select App Registrations.
  7. Select the new On-Premises app.
  8. Select your application.

    Microsoft Entra ID/Azure AD App Registrations page showing applications to select
  9. Select the Application ID URI and edit the value with the DMA.

    Application ID URI example in Azure AD
  10. Select API Permissions > Add a permission > Select Microsoft Graph.

    Azure AD Microsoft Graph API selection.

  11. Select Application permissions and add the following permissions:
    • Application permissions > Device > Read all devices
    • Application permissions > Device > Read and write devices
    • Application permissions > Directory > Read directory data
    • Application permissions > Directory > Read and write directory data
    • Application permissions > Group > Read All Groups
    • Application permissions > User > Read all users’ full profiles
  12. Select Delegated permissions and add the following permissions:
    • Delegated permissions > Group > Read all groups
    • Delegated permissions > Group > Read and write all groups

    Azure AD Microsoft Graph delegated permissions selection.

  13. Select Grant admin consent for <Tenant Name>. The status for the permissions is Granted for <Tenant Name>.

    Permissions listings in Azure AD.

  14. Select Manifest.
  15. Ensure that the value for groupMembershipClaims is "SecurityGroup".
  16. Ensure that the identifierUris is the value you entered in the Application ID URI from the App Registration step.

    Manifest settings within Azure AD.

    Note: If groupMembershipClaims is not "SecurityGroup", verify that the Application ID URI is correct. If set and the groupMembershipClaims value does not appear as expected, enter the following and select Save:

    "groupMembershipClaims": "1",

    Reopen the Manifest and verify groupMembershipClaims is "SecurityGroup", as expected.

  17. Select Certificates and Secrets, then select New Client Secret.
  18. Enter a Description for the secret, set an Expiry, and select Add.
  19. Copy the value and save it securely in another text file for future reference.
    Note: The value displays as masked. You cannot reread it.

    Client Secret setting in Azure AD.

Results

Microsoft Intune does not conflict with SOTI MobiControl.

What to do next

Follow the procedure in Configuring SOTI MobiControl Tenant and On-Premises App.