Creating and Configuring the On-Premises Application in Microsoft Entra ID

Before you begin

Complete the domain verification in Microsoft Entra ID. See Verifying the Domain in Microsoft Entra ID.
Note: You must disable Microsoft Intune to prevent interference with your SOTI MobiControl On-Premise application.

About this task

Configure your on-premises application and make sure that it has no conflicts with Microsoft Intune.

Procedure

  1. In Microsoft Entra ID (formerly Azure AD), navigate to Mobility (MDM and MAM).
  2. Disable the Microsoft Intune app if it is present under Microsoft Entra ID > Mobility (MDM and MAM).
    1. Select the Microsoft Intune app.
    2. Set MDM user scope to None.
    3. Set MAM user scope to None.

      Microsoft Intune configuration in Microsoft Entra ID
  3. Select Add Application, then Create your own application. Enter a name for your application, then select Add.
  4. Set MDM user scope to Some or All. If you select Some, you can specify which user groups to include.
  5. Update the following fields with the Device Management Address (DMA) of your SOTI MobiControl instance:
    • MDM terms of use URLhttps://<DMA>/FederatedEnrollment/TermsOfUse.svc/TermsOfUse
    • MDM discovery URLhttps://<DMA>/FederatedEnrollment/Discovery.svc
    Note: Obtain the DMA address in the SOTI MobiControl Admin Utility's Deployment Server tab.

    DMA configuration in Azure AD.

  6. From Microsoft Entra ID, select App Registrations.
  7. Select your newly added on-premises application.

    Microsoft Entra ID App Registrations page showing applications to select
  8. Select the Application ID URI and edit the value with the DMA.

    Application ID URI example in Microsoft Entra ID
  9. Select API Permissions > Add a permission > Select Microsoft Graph.

    Microsoft Entra ID Microsoft Graph API selection.

  10. Select Application permissions and add the following permissions:
    • Application permissions > Device > Read all devices
    • Application permissions > Device > Read and write devices
    • Application permissions > Directory > Read directory data
    • Application permissions > Directory > Read and write directory data
    • Application permissions > Group > Read All Groups
    • Application permissions > User > Read all users’ full profiles
  11. Select Delegated permissions and add the following permissions:
    • Delegated permissions > Group > Read all groups
    • Delegated permissions > Group > Read and write all groups

    Microsoft Entra ID Microsoft Graph delegated permissions selection.

  12. Select Grant admin consent for <Tenant Name>. The status for the permissions is Granted for <Tenant Name>.

    Permissions listings in Azure AD.

  13. Select Manifest.
  14. Make sure that the value for groupMembershipClaims is "SecurityGroup".
  15. Make sure that the identifierUris is the value you entered in the Application ID URI from the App Registration step.

    Manifest settings within Azure AD.

    Note: If groupMembershipClaims is not "SecurityGroup", verify that the Application ID URI is correct. If set and the groupMembershipClaims value does not appear as expected, enter the following and select Save:

    "groupMembershipClaims": "1",

    Reopen the Manifest and verify groupMembershipClaims is "SecurityGroup", as expected.

  16. Select Certificates and Secrets, then select New Client Secret.
  17. Enter a Description of the secret, set an Expiry, and select Add.
  18. Copy the value and save it securely in another text file for future reference.
    Note: The value displays as masked. You cannot reread it.

    Client Secret setting in Azure AD.

Results

Microsoft Intune does not conflict with SOTI MobiControl.

What to do next

Follow the procedure in Configuring SOTI MobiControl Tenant and On-Premises App.