Azure has established itself as the primary means of identity management for enterprises, with Microsoft Azure generally being used to access O365 and many other SaaS (cloud applications). Microsoft Entra ID’s integration with TinyMDM enables administrators to add users from their Azure account.
A) How to register the TinyMDM application with your Microsoft Entra ID account?
Log in to your Microsoft Azure account & Click on Microsoft Entra ID
Go to the App registrations menu on the left, then click on New registration
Name the application TinyMDM. In Supported account types, choose Accounts in this organizational directory only (tinymdm only – Single tenant). Click on Register.
You will now see, in the Enterprise applications menu, the TinyMDM application you have just created. If you click on it, you’ll see an application ID (client) and a directory ID (tenant): please note these IDs, which you’ll be asked for later in the TinyMDM console.
Now go to the API permissions menu on the left, then click on Add a permission.
In the popup window, click on Microsoft Graph
Choose the Application permissions option, then type group in the search field, and check the GroupMember.Read.All box.
Repeat the operation, typing user.read and checking the User.Read.All box, then click on the Add authorizations button.
You now have 2 authorizations for Microsoft Graph: GroupMember.Read.all and User.Real.All. Click on Grant admin consent and grant consent to both.
Second step, we now need to create a secret. In the left-hand Certificates & Secrets menu, click on New client secret. Enter a description (e.g. “Secret TinyMDM”) and an expiration date, then click on Add.
Here you can see the value and identifier of your secret. Please note the value of the secret, which will be requested later in the TinyMDM administration console.
Third and last step, we need to create a group that will be synchronized with TinyMDM and add members to it.
To do this, return to the Microsoft Entra ID Overview, go to the All groups tab and click on New group. Choose the Security group type, name it TinyMDM, and describe it as “Users importable into TinyMDM” (for example). Click on Create.
You’ll now see the “TinyMDM” group created, with an Object ID. Please make a note of this ID, because you’ll be asked for it later in the TinyMDM administration console.
Now you need to add members to this group: those you wish to import into the TinyMDM administration console. To do this, click on the TinyMDM group you’ve created (where you’ll see that no members have been found), then go to the Members tab on the left and click on Add members.
Note: this “TinyMDM” group corresponds to level 0, and will not be imported as such into the administration console. In level 0, you can add members, who are either users or groups. If you add a group, for example the “Management” group, which itself has 2 users, these two users will be imported into the TinyMDM administration console as belonging to a group called “Management”. On the other hand, groups within groups will not be imported and will be ignored, since TinyMDM supports only one level of group, and no sub-group.
In our example, we’re going to add to the “TinyMDM” group (to be imported into the TinyMDM administration console), the single users “Tom Smith” and “John Doe” (who are therefore at level 1), as well as the “Management” group (also at level 1) which itself has two members, “Jane Doe” and “Richard Roe” (who are therefore at level 2). If the “Management” group had sub-groups, such as DG, Administration etc., these would be ignored when importing into the TinyMDM administration console, since they would correspond to a level 3, not supported by TinyMDM.
B) How do I synchronize Microsoft Entra ID (formerly Azure AD) users in TinyMDM?
Log in to your TinyMDM administration console, go to the Users and Groups tab and click on the Synchronisation Microsoft Azure button.
Fill in the required fields in the popup window:
- Client ID: this is the application ID (client) of the TinyMDM application you created in Azure AD in the “Register an application” step.
- Client secret: this is the value of the secret you created in Azure AD in the “New client secret” step (note: the value, not the secret ID)
- Group ID: this is the object ID of the “TinyMDM” group (level 0) you created in Azure AD in the “New group” step.
- Tenant ID: this is the ID of the directory (tenant) you can find in the “Overview” tab of your Azure AD account
- Scope: https://graph.microsoft.com/.default
Within seconds, imported users and groups appear in the TinyMDM console. Users are created as anonymous users (without email) if no email has been defined in the Azure AD account (don’t mistake main username and email).
To return to our example, we therefore see Tom Smith and John Doe appear without a group, and users Jane Doe and Richard Roe in the Management group, also created (visible in the “Groups” sub-tab). You can now assign them to TinyMDM policies.
If you need to resynchronize your Microsoft Entra ID users (e.g. if you have new employees or employees who have left your company), you can click the “Synchronisation Microsoft Azure” button again. Users who are no longer part of the “TinyMDM” group to be imported (level 0), will appear as Azure ID: deleted in TinyMDM. You can easily find them in the console via the advanced user search, by checking the Only users with deleted Azure ID box. If a device is enrolled on an obsolete user, consider transferring the device to another user.
Warning: in your Microsoft Azure account, if you change a user’s group or move from a status without a group to a group, it is important to remove the user from their former position, as this is not automatically proposed by Azure.
- Example 1: in your Microsoft Azure account, if you add Richard Roe (from the group Management) to let’s say an HR group, he will belong to both groups (so will still be affiliated to Management in the TinyMDM console in the event of resynchronization). Once Richard Roe has been added to the HR group in Microsoft, you’ll also need to remove him from the Management group via Microsoft, so that he belongs to just one group. Only then will Richard Roe be updated as belonging to the HR group in the TinyMDM administration console when the users are resynchronized in Microsoft Azure.
- Example 2: in your Microsoft Azure account, if you add Tom Smith (without a group) to the group Management, he will be synchronized both as an individual user and as a member of the group Management (so will still be in the no-group state in the TinyMDM console in the event of resynchronization). Once Tom Smith has been added to the group Management in Microsoft, you’ll also need to remove him from the “TinyMDM” group (level 0) as an individual user via Microsoft, so that he’s only synchronized via the group Management. Only then will Tom Smith be updated as belonging to the group Management in the TinyMDM administration console when Microsoft Azure users are resynchronized.