SOTI Pulse Logo

O365 Conditional access integration sync

M
Mark
Zetes B.V. (Netherlands)

Does anyone know what happens if you bind Mobicontrol to Azure/Intune for the Microsoft Office 365 integration if you press the sync button when everything is properly configured?

Are all devices synced to intune? Or can you filter a certain group in Mobicontrol to sync to intune.

We want to exclude MFA for an office app at Mobicontrol managed android devices. But as long as the devices are not known in intune we cannot use this as a filter.

Also there are a lot of Mobicontrol devices which don't need office apps and we don't want them to be manged in both Mobicontrol and Intune.

Office 365 O365 Conditional Access
2 years ago
SOTI MobiControl
ANSWERS
SB
Simon Breuer
2 years ago

Hi Mark,

the devices aren't synced automatically to Azure. They have to be registered first by the end user.

After successfully registering the devices in Azure, the compliance status of the device is being synced by MobiControl, if there is a Compliance Policy assigned to the (group of) devices.

The Compliance Policy must contain the action "Set Azure Conditional Access".

Based on this compliance status, you can design Conditional Access rules in Azure.


Summary:

- Create the connection to Microsoft Azure as described in SOTI documentation.

- Create a Compliance Policy in MobiControl. Design it as you want by setting the non-compliant creteria. Set the Action to "Set Azure Conditional Access". Assign this policy to all devices, you want to grant special rights via Conditional Access based on their compliance status.

- From now on you will see error messages in the device logs, because MobiControl cannot set the compliance status in Azure AD for these devices. They are not registered to Azure yet.

- Install MS authenticator on the devices

- If you follow the SOTI documentation and you create a CA policy as described here (https://soti.net/mc/help/v15.6/en/console/system/microsoft_365_integration/create_device_based_conditional_access_policy.html), you may run into a problem: 
All devices now accessing the configured Office apps, will automatically be asked for Azure registration. But this is not what you want. You only want the MobiControl devices to be Azure registered, but not the other devices, which will later require MFA for your apps.

- So leave out the above mentioned part of SOTI documentation

- The users will have to register themselves in Azure by opening the following URL: https://[Your_DS_FQDN]/M365-registration/

- On iOS devices you may configure a web clip for the users. Otherwise they will have to call the URL by themselves in a web browser on their device.

- The users now must follow the registration process shown on the device by authenticating themselves to Azure. After completion, the device is visible in Azure. The compliance status can now be synced by MobiControl.

- Based on this status you can now create your CA policies for your MFA. (Device compliant = no MFA, Device not compliant/not registered: MFA)

M
Mark
2 years ago

The Soti managed Zebra scanners (Android) are connecting to a cloud application with a internet browser which uses a Azure enterpise application for Single Sign On SSO. Because we use a condtional acces rules that triggers MFA for All cloud apps users are provided with a MFA request. (Grant Require MFA for All users when Browser and Modern Auth Clients)

We want to prevent this only on the Soti managed Zebra devices, not for the complete SSO when it is used from Windows. We don't want to exclude the cloud app from this Condtional access policy.


We tried to configure a filter for devices in combination with the AppId of de SSO application.

Filter for devices condition toegevoegd -> Exclude filtered devices --> device.mdmAppId -eq "{appID number}" -and device.operatingSystem -startsWith "Android"

Filter for devices as a condition in Conditional Access policy - Microsoft Entra | Microsoft Learn or Using filters for devices as condition in Conditional Access policies – All about Microsoft Intune (petervanderwoude.nl)

This device filter is not working because the Zebra devices are not known in Azure so Azure cannot see the propertie for OS Android.

We want to achieve this by creating the third party connection between Intune and Soti without disrupting the devices.

It is not the goal to manage these Soti managed Zebra devices in Azure.

Is this methode the right way? https://www.soti.net/mc/help/v15.5/en/console/system/microsoft_365_integration/ms_365_integration.html

SB
Simon Breuer
2 years ago

Hey Mark,

the devices are still managed in SOTI by following my first answer.

The devices ALSO must be known by Azure. 

The 3rd party connection offered by SOTI does NOT sync devices. It only syncs the compliance status.

Therefore you MUST register the devices in Azure aswell by the mechanics described above.

Once the devices are registered in both MobiControl and Azure, the M365 connection between MobiControl and Azure is able to synchronize the compliance status.

Based on this status you can decide, whether SSO/MFA is needed or not.

M
Mark
2 years ago

Ok, thanks. This is really helpfull. 

If we would setup the connection we could test with only one device (add it in Azure/intune, and make policy in Mobicontrol). Customer in this case has a big install base in Mobicontrol and we don't want all devices to be 'synced'.

But 'sync' is only the compliance status from the devices known in Azure/intune with the right policy in Mobicontrol. 

So we could give it a try.

M
Mark
2 years ago

One question still remain.

Is there a possibility to mass enroll devices to Azure/intune? You were saying:

- The users will have to register themselves in Azure by opening the following URL: https://[Your_DS_FQDN]/M365-registration/

But mostly we are talking about shared devices (warehousing). So we are not working user based but device based. Were IT has full control over the device(work managed with lockscreen). 
Only for some apps the user can login with his own credentials.

Any way we could mass enroll the devices of a certain mobicontrol group to Azure/intune? 

M
MPMOD@SOTI
2 years ago

Hi Mark,

Thank you for posting on SOTI Pulse! 

Did any of the suggestions help you with your query? To answer your question, if these are Android devices you are working with, then there are no mass enrollment methods.

Kind regards,

Technical Support Specialist | SOTI | +1 905.624.9828 | SOTI.net lDiscussion Forum | Log a Case Online l Facebook l LinkedIn l Twitter

M
Mark
2 years ago

Hi Simon,

I added one question on my own comment, any idea on that? 

Thanks in advance,

Mark

M
MPMOD@SOTI
2 years ago

Similar Discussions