Import and synchronise TinyMDM contacts with Microsoft Entra ID

Azure has established itself as the primary means of identity management for enterprises, with Microsoft Azure generally being used to access O365 and many other SaaS (cloud applications). Microsoft Entra ID’s integration with TinyMDM enables administrators to add contacts from their Azure account as well as users.

Log in to your Microsoft Azure account & Click on Microsoft Entra ID

Microsoft Entra ID

Go to the App registrations menu on the left, then click on New registration.

Microsoft Entra ID

Name the application TinyMDM. In Supported account types, choose Accounts in this organizational directory only (tinymdm only – Single tenant). Click on Register.

Microsoft Entra ID

You will now see, in the Enterprise applications menu, the TinyMDM application you have just created. If you click on it, you’ll see an application ID (client) and a directory ID (tenant): please note these IDs, which you’ll be asked for later in the TinyMDM console.

Microsoft Entra ID

Now go to the API permissions menu on the left, then click on Add a permission.

Microsoft Entra ID

In the popup window, click on Microsoft Graph

Microsoft Entra ID

Choose the Application permissions option, then type group in the search field, and check the GroupMember.Read.All box.

Microsoft Entra ID

Repeat the operation, typing user.read and checking the User.Read.All box, then click on the Add authorizations button.

Microsoft Entra ID

You now have 2 authorizations for Microsoft Graph: GroupMember.Read.all and User.Real.All. Click on Grant admin consent and grant consent to both.

Microsoft Entra ID

Second step, we now need to create a secret. In the left-hand Certificates & Secrets menu, click on New client secret. Enter a description (e.g. “Secret TinyMDM”) and an expiration date, then click on Add.

Microsoft Entra ID

Here you can see the value and identifier of your secret. Please note the value of the secret, which will be requested later in the TinyMDM administration console.

Microsoft Entra ID

Third and last step, we need to create a group that will be synchronized with TinyMDM and add members to it.

To do this, return to the Microsoft Entra ID Overview, go to the All groups tab and click on New group. Choose the Security group type, name it TinyMDM Contacts, and describe it as “Contacts importable into TinyMDM” (for example). Click on Create.

Microsoft Entra ID

You’ll now see the “TinyMDM Contacts” group created, with an Object ID. Please make a note of this ID, because you’ll be asked for it later in the TinyMDM administration console.

Now you need to add members to this group: those you wish to import into the TinyMDM administration console. To do this, click on the TinyMDM Contacts group you’ve created (where you’ll see that no members have been found), then go to the Members tab on the left and click on Add members.

Log in to your TinyMDM administration console, go to the Shared contacts tab and click on the Import from Microsoft Azure (Synchronisation Microsoft Azure) button.

Fill in the required fields in the popup window:

  • Client ID: this is the application ID (client) of the TinyMDM application you created in Azure AD in the “Register an application” step.
  • Client secret: this is the value of the secret you created in Azure AD in the “New client secret” step (note: the value, not the secret ID)
  • Group ID: this is the object ID of the “TinyMDM Contacts” group (level 0) you created in Azure AD in the “New group” step.
  • Tenant ID: this is the ID of the directory (tenant) you can find in the “Overview” tab of your Azure AD account
  • Scope: https://graph.microsoft.com/.default

Within seconds, imported members will appear in the TinyMDM console, shared contacts tab.

If you need to resynchronize your Microsoft Entra ID contacts, you can click the “Import from Microsoft Azure” button again. Contacts who are no longer part of the “TinyMDM Contacts” group to be imported (level 0), will appear as Azure ID: deleted in TinyMDM. You can easily find them in the console via the advanced contacts search, by checking the Only contacts with deleted Azure ID box.