Microsoft 365 Integration - Conditional Access
Before you begin
M365 Conditional Access requires:
macOS integration requires: - Conditional Access, Microsoft Entra ID, Microsoft Intune (to set SOTI MobiControl as the third-party compliance partner), and
Entra ID - Premium 1 or higher. Compatible Microsoft license plans (download PDF) include:
- Microsoft 365 E3, E5, F1, or F3 licenses, or Enterprise Mobility + Security E3 (EMS E3) or E5 (EMS E5) in Microsoft Entra ID. When adding a license for a user, select all services. Note that services differ based on the subscription type.
- SOTI MobiControl version 15.5.2 or later
- macOS Agent 15.2.1 or later
- macOS 10.15 or later
M365 Conditional Access supports:
- Android, iOS, and macOS with Microsoft User Mode device registration. The
following table shows supported platforms and ownership models in SOTI MobiControl.Note: A personally-owned ownership model for macOS is not supported.
Platform Ownership Model Management Type Synonym Android Enterprise Corporate-owned Work managed Company Owned/Business Only (COBO) Personally-owned Work profile Bring Your Own Device (BYOD) Corporate-owned Corporate personal Company Owned/Personally Enabled (COPE) iOS Corporate-owned Work managed Company Owned/Business Only (COBO) Personally-owned User enrollment with managed Apple ID Bring Your Own Device (BYOD) macOS Corporate-owned Work managed Company Owned/Business Only (COBO)
About this task
Integrating SOTI MobiControl with Microsoft enables customers to
grant access to Microsoft 365 apps on Apple or Android devices using SOTI MobiControl compliance policies. Use SOTI MobiControl
to send the compliance status of a device to Microsoft. You can then configure
conditional access policies for Microsoft 365 applications in Entra ID. Users
receive access to applications based on the device compliance status.
CAUTION: An unexpected error occurs if you try
integrating Conditional Access with the same Microsoft Entra ID tenant for
multiple SOTI MobiControl servers.
Note: After you complete the registration process, you will see
the device registered into Entra. However, it displays as "Microsoft Intune"
under the MDM column. This is a known Microsoft limitation.
Setting up Conditional Access for Microsoft 365 consists of the following steps:
Procedure
- Connect SOTI MobiControl to Microsoft Intune to report device compliance status and in Microsoft Intune, configure SOTI MobiControl as the third-party compliance partner.
- In Microsoft Entra ID, assign licenses for use with Single Sign On (SSO) using Microsoft Authenticator.
- In Microsoft Entra ID, create a device-based conditional access policy to control app access based on device compliance status.
- Create and assign an app policy to install SOTI MobiControl Agent, Authenticator, or Company Portal, and Microsoft 365 apps.
- Create and deploy the Extensible Single Sign-on (ESSO) payload (macOS).
-
Create and assign a
compliance policy in SOTI MobiControl to report compliance
status to Microsoft.
To access Microsoft 365 Apps, the user registers the device and authenticates with Entra ID.