Microsoft 365 Integration - Conditional Access
Before you begin
M365 Conditional Access requires:
macOS integration requires: - Conditional Access, Microsoft Azure Active Directory, Microsoft Intune (to
set SOTI MobiControl as the third-party compliance partner),
and Azure AD - Premium 1 or higher. Compatible Microsoft license plans (download PDF) include:
- Microsoft 365 E3, E5, F1, or F3 licenses, or Enterprise Mobility + Security E3 (EMS E3) or E5 (EMS E5) in Microsoft Entra ID/Azure AD.. When adding a license for a user, select all services. Note that services differ based on the subscription type.
- SOTI MobiControl version 15.5.2 or later
- macOS Agent 15.2.1 or later
- macOS 10.15 or later
M365 Conditional Access supports:
- Android, iOS, and macOS with Microsoft User Mode device registration. The
following table shows supported platforms and ownership models in SOTI MobiControl.Note: A personally-owned ownership model for macOS is not supported.
Platform Ownership Model Management Type Synonym Android Enterprise Corporate-owned Work managed Company Owned/Business Only (COBO) Personally-owned Work profile Bring Your Own Device (BYOD) Corporate-owned Corporate personal Company Owned/Personally Enabled (COPE) iOS Corporate-owned Work managed Company Owned/Business Only (COBO) Personally-owned User enrollment with managed Apple ID Bring Your Own Device (BYOD) macOS Corporate-owned Work managed Company Owned/Business Only (COBO)
About this task
Integrating SOTI MobiControl with Microsoft enables customers to
grant access to Microsoft 365 apps on Apple or Android devices using SOTI MobiControl compliance policies. Use SOTI MobiControl
to send the compliance status of a device to Microsoft. You can then configure
conditional access policies for Microsoft 365 applications in Azure AD. Users
receive access to applications based on the device compliance status.
CAUTION: An unexpected error occurs if you try
integrating Conditional Access with the same Microsoft Azure AD tenant for
multiple SOTI MobiControl servers.
Note: After you complete the registration process, you
will see the device registered into Azure. However, it displays as
"Microsoft Intune" under the MDM column. This is a known Microsoft
limitation.
Setting up Conditional Access for Microsoft 365 consists of the following steps:
Procedure
- In Microsoft Endpoint Manager, configure SOTI MobiControl as the third-party compliance partner.
- In Microsoft Entra ID/Azure AD, assign licenses for use with Single Sign On (SSO) using Microsoft Authenticator.
- In Azure AD, create a device-based conditional access policy to control app access based on device compliance status.
- Connect SOTI MobiControl to Microsoft Endpoint Manager to report device compliance status.
- Create and assign an app policy to install SOTI MobiControl Agent, Authenticator, or Company Portal, and Microsoft 365 apps.
- Create and deploy the Extensible Single Sign-on (ESSO) payload (macOS).
-
Create and assign a
compliance policy in SOTI MobiControl to report compliance
status to Microsoft.
To access Microsoft 365 Apps, the user registers the device and authenticates with Azure AD.