Since there is absolutely no documentation on this I thought I’d share this with everyone.
- Log into Azure AD and create a group and add a user
- Enterprise Applications – New Application
- Search for and add MobiControl
- Go to the MobiControl application – Users and Groups
- Add the group you just created
- Go back to the Azure portal – App registrations
- Select MobiControl – if you can’t find it, check under «All applications»
- Certificate & Secrets
- New client secret
- Copy «Value» - this is the client secret and will only be shown once
- API permissions – add the following – note the difference between Application and Delegated
- ReadWrite.All > Application
Directory.ReadWrite.All > Application
Directory.Read.All > Application
Group.Read.All > Delegated
User.Read.All > Delegated
Directory.ReadWrite.All > Delegated
- ReadWrite.All > Application
- Click on «Grant admin consent for…»
- Go to MobiControl – Global Settings – Services – Directory
- Select + on Azure Directories
- Name – can be anything
- Microsoft Graph API Address – https://graph.microsoft.com
- Select + on Azure Tenant ID
- Name – can be anything
- Azure Tenant Name – this is the primary domain you see in the Azure AD Overview
- Azure Tenant ID – Tenant ID in the Azure AD Overview
- Metadata Endpoint Address – you’ll find this under App Registrations – Endpoints – Federation metadata document
- Select + on Application Name
- Application name – can be anything
- Client ID – you’ll find this under Enterprise Applications – MobiControl – Application ID
- Client secret – the value you copied on step 9 a
- Save
To test, do the following:
- In MobiControl – Users and Permissions - Groups - +
- Search for the group you added earlier – if you find it, it works
- Search for additional groups in Azure to verify connection
Troubleshooting:
To troubleshoot, check MS log and search for the Client ID. There will most likely be an understandable error message.