Azure has established itself as the primary means of identity management for enterprises, with Microsoft Azure generally being used to access O365 and many other SaaS (cloud applications). Microsoft Entra ID’s integration with TinyMDM enables administrators to add users from their Azure account.
A) How to register the TinyMDM application with your Microsoft Entra ID account?
Log in to your Microsoft Azure account & Click on Microsoft Entra ID
Go to the App registrations menu on the left, then click on New registration
Name the application TinyMDM. In Supported account types, choose Accounts in this organizational directory only (tinymdm only – Single tenant). Click on Register.
You will now see, in the Enterprise applications menu, the TinyMDM application you have just created. If you click on it, you’ll see an application ID (client) and a directory ID (tenant): please note these IDs, which you’ll be asked for later in the TinyMDM console.
Now go to the API permissions menu on the left, then click on Add a permission.
In the popup window, click on Microsoft Graph
Choose the Application permissions option, then type group in the search field, and check the
Repeat the operation, typing user.read and checking the
User.Read.All box, then click on the Add authorizations button.
You now have 2 authorizations for Microsoft Graph:
User.Real.All. Click on Grant admin consent and grant consent to both.
Second step, we now need to create a secret. In the left-hand Certificates & Secrets menu, click on New client secret. Enter a description (e.g. “Secret TinyMDM”) and an expiration date, then click on Add.
Here you can see the value and identifier of your secret. Please note the value of the secret, which will be requested later in the TinyMDM administration console.
Third and last step, we need to create a group that will be synchronized with TinyMDM and add members to it.
To do this, return to the Microsoft Entra ID Overview, go to the All groups tab and click on New group. Choose the Security group type, name it TinyMDM, and describe it as “Users importable into TinyMDM” (for example). Click on Create.
You’ll now see the “TinyMDM” group created, with an Object ID. Please make a note of this ID, because you’ll be asked for it later in the TinyMDM administration console.
Now you need to add members to this group: those you wish to import into the TinyMDM administration console. To do this, click on the TinyMDM group you’ve created (where you’ll see that no members have been found), then go to the Members tab on the left and click on Add members.
In our example, we’re going to add to the “TinyMDM” group (to be imported into the TinyMDM administration console), the single users “Tom Smith” and “John Doe” (who are therefore at level 1), as well as the “Management” group (also at level 1) which itself has two members, “Jane Doe” and “Richard Roe” (who are therefore at level 2). If the “Management” group had sub-groups, such as DG, Administration etc., these would be ignored when importing into the TinyMDM administration console, since they would correspond to a level 3, not supported by TinyMDM.
B) How do I synchronize Microsoft Entra ID (formerly Azure AD) users in TinyMDM?
Log in to your TinyMDM administration console, go to the Users and Groups tab and click on the Synchronization Azure Cloud button.
Fill in the required fields in the popup window:
- Client ID: this is the application ID (client) of the TinyMDM application you created in Azure AD in the “Register an application” step.
- Client secret: this is the value of the secret you created in Azure AD in the “New client secret” step (note: the value, not the secret ID)
- Group ID: this is the object ID of the “TinyMDM” group (level 0) you created in Azure AD in the “New group” step.
- Tenant ID: this is the ID of the directory (tenant) you can find in the “Overview” tab of your Azure AD account
- Scope: https://graph.microsoft.com/.default
Within seconds, imported users and groups appear in the TinyMDM console. Users are created as anonymous users (without email) if no email has been defined in the Azure AD account (don’t mistake main username and email).
To return to our example, we therefore see Tom Smith and John Doe appear without a group, and users Jane Doe and Richard Roe in the Management group, also created (visible in the “Groups” sub-tab). You can now assign them to TinyMDM policies.
If you need to resynchronize your Microsoft Entra ID users (e.g. if you have new employees or employees who have left your company), you can click the Azure Cloud Synchronization button again. Users who are no longer part of the “TinyMDM” group to be imported (level 0), will appear as Azure ID: deleted in TinyMDM. You can easily find them in the console via the advanced user search, by checking the Only users with deleted Azure ID box. If a device is enrolled on an obsolete user, consider transferring the device to another user.