Integrate SOTI MobiControl with Microsoft Intune and Configure Compliance Partner

Before you begin

You must have administrative access to Microsoft Intune and SOTI MobiControl.

About this task

This integration enables SOTI MobiControl to function as a compliance data provider for Microsoft Intune. Microsoft Entra ID (formerly Azure AD) can then evaluate device compliance data from SOTI MobiControl to enforce Conditional Access policies.

You can complete the integration using either an automatic method through the SOTI MobiControl console or a manual process through the Microsoft Intune Admin Center.

Method One: Automatic Set up

About this task

For SOTI MobiControl 2024.1.0 and later, this method initiates and completes the integration directly from the SOTI MobiControl console, eliminating the need to navigate away to the Intune Admin Center. It simplifies the process by leveraging SOTI MobiControl's built-in Microsoft 365 Services panel to establish the connection.
Completing this procedure automates adding a compliance partner manager into Microsoft Intune.
Note: You may need to consent to new permissions when upgrading to SOTI MobiControl 2024.1.1 or later.

Procedure

  1. On the SOTI MobiControl web console, navigate to Global Settings > Services > Microsoft Integration.
  2. In the Conditional Access section, select Add Credentials.
  3. Enter a name and your Microsoft Entra tenant ID.
    Tip: To find your Tenant ID, go to Home > Microsoft Entra > Overview in the Azure portal.
  4. Select Save, then select Continue to authenticate and grant permissions.
    Select Continue to log in with your Microsoft account.
    Review requested permissions
    Note: The following table lists the permissions required for Intune and Microsoft Graph:
    Permission Details
    Intune: manage_partner_compliance_policy Needed for the Intune partner service to authenticate compliance policies. Required for all 3rd party MDM compliance partner apps.
    Intune: update_device_attributes Needed for the Intune partner service to authenticate compliance policies. Required for all 3rd party MDM compliance partner apps.
    Microsoft Graph: Application.Read.All Required under Microsoft Graph to call the Service Endpoint Discovery API. Required for all 3rd party MDM compliance partner apps.
    Microsoft Graph: DeviceManagementServiceConfig.ReadWrite.All Needed to create the SOTI MobiControl Compliance partner in Microsoft Intune automatically. Automates adding SOTI MobiControl as a compliance partner.
    Microsoft Graph: Group.Read.All Needed for SOTI MobiControl to validate Microsoft Entra ID user’s Single Sign On (SSO) login. Validates Microsoft Entra ID user’s SSO login.
    Microsoft Graph: User.Read.All Needed for SOTI MobiControl to validate Microsoft Entra ID user’s SSO login. Validates Microsoft Entra ID user’s SSO login.
    Microsoft Graph: User.Read (Delegated) Configured and added by Microsoft by default when registering the SOTI MobiControl Device Compliance app. Ensures successful return of an ID token.
    Microsoft Graph: Device.ReadWrite.All Allows admins to enforce Microsoft Conditional Access for Windows Modern Entra ID Join enrolled devices. Sets the device’s compliance status in the Entra ID portal.
  5. Optional: Remove the Device.ReadWrite.All permission from Microsoft Entra ID

    If you are only using Android or Apple and do not need Windows Modern Conditional Access, remove the Device.ReadWrite.All permission from the Microsoft Entra ID portal:

    1. Open the Microsoft Entra ID portal.
    2. Select Enterprise Applications.
    3. Select SOTI MobiControl Device Compliance.
    4. Select Security, then select Permissions.
    5. Find the Device.ReadWrite.All permission.
    6. Select the three-dot menu next to the permission, then select Remove.
    7. In SOTI MobiControl, go to Global Settings, then select SYNC.
    8. When the CONSENT button appears in the Conditional Access section, select it to re-authorize the permission if needed.
      Note: Removing this permission does not affect existing iOS, macOS, or Android SOTI MobiControl Microsoft integrations.
  6. Select the link to return to SOTI MobiControl.
    Successfully Connected to SOTI MobiControl confirmation message
  7. Select SYNC.
    The Account Status changes to Active. SOTI MobiControl automatically populates in the Microsoft Intune third-party compliance partner management portal.
    M365 Conditional Access Active
    Attention: After successfully syncing with Microsoft Intune (known earlier as Microsoft Endpoint Manager), other third-party compliance partners do not get overwritten by SOTI MobiControl. To enable SOTI MobiControl as the compliance partner, you must manually remove existing third-party compliance partners from the Microsoft Intune Admin Center.

    If some platforms lack a compliance partner while others (for example, Android) already have one, selecting SYNC populates only the unassigned platforms. If all platforms have a third-party compliance partner, SYNC fails since SOTI MobiControl cannot override existing assignments.

Method Two: Manual Microsoft Intune Compliance Partner Configuration

About this task

Use this method when automatic setup is impossible or when you must initiate integration from the Intune side.

Procedure

  1. Login to Microsoft Endpoint (https://endpoint.microsoft.com/#home) as Administrator.
  2. Navigate to Tenant administration > Connectors and tokens > Partner compliance management.
  3. Select Add compliance partner in the Basics tab. Then, select SOTI MobiControl from the Compliance Partner pull-down list.
  4. Select your platform from the pull-down list (for example, Android), then select Next.
  5. Under Assignments, configure the Included/Excluded groups to which your single sign-on users belong.
  6. Select Next. Verify all settings are correctly configured.
  7. Select Create to complete the endpoint configuration.
    Note: The Partner status displays as Terminated until you create a connection from SOTI MobiControl to the Microsoft Entra tenant. See the status table below.
    Status Description
    Terminated/Pending activation/Connection Lost SOTI MobiControl is disconnected.
    Active SOTI MobiControl is connected successfully.
  8. Return to the Microsoft Integration section in SOTI MobiControl and select SYNC. The Account Status changes to Active. SOTI MobiControl automatically populates the Microsoft Intune third-party compliance partner management portal details.
    M365 Conditional Access Active

What to do next

Add an Azure directory to set up Single Sign-On (SSO) For Shared Devices Using Microsoft Authenticator.