Configure Conditional Access for Microsoft Authenticator SSO (iOS/iPadOS)

Integrate Microsoft Conditional Access to enforce sign-in policies and validate Single Sign-On (SSO) compliance through your Microsoft Entra ID tenant.

Before you begin

Ensure the following steps have been completed:
  1. Add a Microsoft Authenticator SSO Payload (iOS/iPadOS).
  2. Connect Microsoft Entra ID for Microsoft Authenticator SSO (iOS/ iPadOS).

About this task

This is the third step in configuring Microsoft Authenticator SSO for iOS/ iPadOS devices. See Configuring Microsoft Authenticator Single Sign-On (iOS/ iPadOS). In this step, you integrate Conditional Access with SOTI MobiControl. This allows SOTI MobiControl to enforce sign-in requirements and validate device and user compliance using your Microsoft Entra ID tenant.

You integrate your Microsoft account, approve required permissions, and synchronize tenant details with SOTI MobiControl.

Procedure

  1. Select Manage in the Conditional Access details section of your Microsoft Authentication SSO payload.
    Managing conditional access details.
  2. Select Add Credentials to integrate your Microsoft account.
    Integrating your Microsoft account.
  3. Select Populate to import the Tenant ID from the connected Entra ID configuration.
    Selecting Populate in the Populate Tenant ID prompt.
  4. Enter a name for the Microsoft Conditional Access integration and select Save.
    Saving the Microsoft Integration.
  5. Complete the sign-in process through the Microsoft portal by selecting Continue. Review and approve all requested permissions.
    Continuing to Microsoft's sign-in page.
    Review requested permissions
    Note: The following table details the permissions required for Microsoft Intune and Microsoft Graph:
    Permission Description Purpose
    Intune: manage_partner_compliance_policy Needed for the Intune partner service to authenticate compliance policies. Required for all 3rd party MDM compliance partner apps.
    Intune: update_device_attributes Needed for the Intune partner service to authenticate compliance policies. Required for all 3rd party MDM compliance partner apps.
    Microsoft Graph: Application.Read.All Required under Microsoft Graph to call the Service Endpoint Discovery API. Required for all 3rd party MDM compliance partner apps.
    Microsoft Graph: DeviceManagementServiceConfig.ReadWrite.All Needed to create the SOTI MobiControl Compliance partner in Microsoft Intune automatically. Automates adding SOTI MobiControl as a compliance partner.
    Microsoft Graph: Group.Read.All Needed for SOTI MobiControl to validate Microsoft Entra ID user’s SSO login. Validates Microsoft Entra ID user’s SSO login.
    Microsoft Graph: User.Read.All Needed for SOTI MobiControl to validate Microsoft Entra ID user’s SSO login. Validates Microsoft Entra ID user’s SSO login.
    Microsoft Graph: User.Read (Delegated) Configured and added by Microsoft by default when registering the SOTI MobiControl Device Compliance app. Ensures successful return of an ID token.
    Microsoft Graph: Device.ReadWrite.All Allows admins to enforce Microsoft Conditional Access for Windows Modern Entra ID Join enrolled devices. Sets the device’s compliance status in the Entra ID portal.
  6. Optional: Remove the Device.ReadWrite.All permission from Microsoft Entra ID

    If you are only using Android or Apple and do not need Windows Modern Conditional Access, remove the Device.ReadWrite.All permission from the Microsoft Entra ID portal:

    1. Open the Microsoft Entra ID portal.
    2. Select Enterprise Applications.
    3. Select SOTI MobiControl Device Compliance.
    4. Select Security, then select Permissions.
    5. Find the Device.ReadWrite.All permission.
    6. Select the three-dot menu next to the permission, then select Remove.
    7. In SOTI MobiControl, go to Global Settings, then select SYNC.
    8. When the CONSENT button appears in the Conditional Access section, select it to re-authorize the permission if needed.
      Note: Removing this permission does not affect existing iOS, macOS, or Android SOTI MobiControl Microsoft integrations.
    Upon successful integration, Microsoft redirects you to the SOTI MobiControl console for synchronization.
    SOTI MobiControl's successful connection message.
  7. Select SYNC to complete the integration.
    Syncing Microsoft with SOTI MobiControl

Results

SOTI MobiControl displays an Active account status and confirms that the Tenant ID matches your Microsoft Entra ID tenant.
Verifying the Tenant ID matching status.

What to do next

Proceed with configuring Microsoft Authenticator SSO for your iOS/ iPadOS devices by defining the Extensible SSO URL prefixes. See Define Extensible SSO for Microsoft Authenticator SSO (iOS/ iPadOS).