Microsoft Integration | Conditional Access

Before you begin

Integrating Microsoft for Conditional Access requires:

Conditional Access, Microsoft Entra ID, Microsoft Intune (to set SOTI MobiControl as the third-party compliance partner), and Entra ID - Premium 1 or higher. Compatible Microsoft license plans (download PDF) include:
- Microsoft 365 E3, E5, F1, or F3 licenses, or Enterprise Mobility + Security E3 (EMS E3) or E5 (EMS E5) in Microsoft Entra ID. When adding a license for a user, select all services. Note that services differ based on the subscription type.

macOS integration requires:

SOTI MobiControl version 15.5.2 or later
macOS Agent 15.2.1 or later
macOS 10.15 or later

Microsoft Conditional Access supports:

Android, iOS, and macOS with Microsoft User Mode device registration. The following table shows supported platforms and ownership models in SOTI MobiControl.

Note: A personally-owned ownership model for macOS is not supported.


Platform	Ownership Model	Management Type	Synonym
Android Enterprise	Corporate-owned	Work managed	Company Owned/Business Only (COBO)
	Personally-owned	Work profile	Bring Your Own Device (BYOD)
	Corporate-owned	Corporate personal	Company Owned/Personally Enabled (COPE)
iOS	Corporate-owned	Work managed	Company Owned/Business Only (COBO)
iOS	Personally-owned	User enrollment with managed Apple ID	Bring Your Own Device (BYOD)
macOS	Corporate-owned	Work managed	Company Owned/Business Only (COBO)

About this task

Integrating SOTI MobiControl with Microsoft enables customers to grant access to Microsoft 365 apps on Apple or Android devices using SOTI MobiControl compliance policies. Use SOTI MobiControl to send the compliance status of a device to Microsoft. You can then configure conditional access policies for Microsoft 365 applications in Entra ID. Users receive access to applications based on the device compliance status.

Note: You can integrate your Microsoft Entra Tenant for multiple SOTI MobiControl Servers to use the tenant with the features like Conditional Access and Microsoft Authenticator SSO.

Note: After you complete the registration process, you will see the device registered into Entra. However, it displays as "Microsoft Intune" under the MDM column. This is a known Microsoft limitation.
Microsoft Endpoint Manager Devices screen showing Microsoft Intune in the MDM column

Microsoft Endpoint Manager Devices screen showing Microsoft Intune in the MDM column

Setting up Conditional Access for Microsoft 365 consists of the following steps:

Procedure

Step one: Connect SOTI MobiControl to Microsoft Intune to report device compliance status and in Microsoft Intune, configure SOTI MobiControl as the third-party compliance partner. See Integrate SOTI MobiControl with Microsoft Intune and Configure Compliance Partner.
Step two: Assign User Licenses in Microsoft Entra ID/Azure AD.
Step three: In Microsoft Entra ID, create a device-based conditional access policy to control app access based on device compliance status. See Create a Device-Based Conditional Access Policy.
Step four: Create and assign an app policy to install SOTI MobiControl Agent, Authenticator, or Company Portal, and Microsoft 365 apps and register your device. Register your device in the following modes:
- User mode:
  - Android or iOS: Configure an App Policy for Microsoft User Mode.
  - macOS: Create and Deploy Extensible Single Sign-on (ESSO) Payload (macOS).
- Shared Device mode:
  - Android: Configuring an App Policy for Microsoft Shared Device Mode (Android Enterprise Work Managed)
  - iOS: To register an iOS device in Microsoft's Shared mode, you must deploy the Microsoft Authenticator SSO payload. See Single Sign-On (SSO) for Shared Devices Using Microsoft Authenticator.
Create and Assign Compliance Policy for Conditional Access.
To access Microsoft 365 Apps, the user registers the device and authenticates with Entra ID. See Conditional Access on the Device.