Sync TinyMDM users with Microsoft Entra ID (formerly Azure AD)

Azure has established itself as the primary means of identity management for enterprises, with Microsoft Azure generally being used to access O365 and many other SaaS (cloud applications). Microsoft Entra ID’s integration with TinyMDM enables administrators to add users from their Azure account.

Log in to your Microsoft Azure account & Click on Microsoft Entra ID

Microsoft Entra ID

Go to the App registrations menu on the left, then click on New registration

Microsoft Entra ID

Name the application TinyMDM. In Supported account types, choose Accounts in this organizational directory only (tinymdm only – Single tenant). Click on Register.

Microsoft Entra ID

You will now see, in the Enterprise applications menu, the TinyMDM application you have just created. If you click on it, you’ll see an application ID (client) and a directory ID (tenant): please note these IDs, which you’ll be asked for later in the TinyMDM console.

Microsoft Entra ID

Now go to the API permissions menu on the left, then click on Add a permission.

Microsoft Entra ID

In the popup window, click on Microsoft Graph

Microsoft Entra ID

Choose the Application permissions option, then type group in the search field, and check the GroupMember.Read.All box.

Microsoft Entra ID

Repeat the operation, typing user.read and checking the User.Read.All box, then click on the Add authorizations button.

Microsoft Entra ID

You now have 2 authorizations for Microsoft Graph: GroupMember.Read.all and User.Real.All. Click on Grant admin consent and grant consent to both.

Microsoft Entra ID

Second step, we now need to create a secret. In the left-hand Certificates & Secrets menu, click on New client secret. Enter a description (e.g. “Secret TinyMDM”) and an expiration date, then click on Add.

Microsoft Entra ID

Here you can see the value and identifier of your secret. Please note the value of the secret, which will be requested later in the TinyMDM administration console.

Microsoft Entra ID

Third and last step, we need to create a group that will be synchronized with TinyMDM and add members to it.

To do this, return to the Microsoft Entra ID Overview, go to the All groups tab and click on New group. Choose the Security group type, name it TinyMDM, and describe it as “Users importable into TinyMDM” (for example). Click on Create.

Microsoft Entra ID

You’ll now see the “TinyMDM” group created, with an Object ID. Please make a note of this ID, because you’ll be asked for it later in the TinyMDM administration console.

Microsoft Entra ID

Now you need to add members to this group: those you wish to import into the TinyMDM administration console. To do this, click on the TinyMDM group you’ve created (where you’ll see that no members have been found), then go to the Members tab on the left and click on Add members.

In our example, we’re going to add to the “TinyMDM” group (to be imported into the TinyMDM administration console), the single users “Tom Smith” and “John Doe” (who are therefore at level 1), as well as the “Management” group (also at level 1) which itself has two members, “Jane Doe” and “Richard Roe” (who are therefore at level 2). If the “Management” group had sub-groups, such as DG, Administration etc., these would be ignored when importing into the TinyMDM administration console, since they would correspond to a level 3, not supported by TinyMDM.

Microsoft Entra ID

Log in to your TinyMDM administration console, go to the Users and Groups tab and click on the Synchronisation Microsoft Azure button.

Fill in the required fields in the popup window:

  • Client ID: this is the application ID (client) of the TinyMDM application you created in Azure AD in the “Register an application” step.
  • Client secret: this is the value of the secret you created in Azure AD in the “New client secret” step (note: the value, not the secret ID)
  • Group ID: this is the object ID of the “TinyMDM” group (level 0) you created in Azure AD in the “New group” step.
  • Tenant ID: this is the ID of the directory (tenant) you can find in the “Overview” tab of your Azure AD account
  • Scope: https://graph.microsoft.com/.default
Azure Cloud sync

Within seconds, imported users and groups appear in the TinyMDM console. Users are created as anonymous users (without email) if no email has been defined in the Azure AD account (don’t mistake main username and email).

To return to our example, we therefore see Tom Smith and John Doe appear without a group, and users Jane Doe and Richard Roe in the Management group, also created (visible in the “Groups” sub-tab). You can now assign them to TinyMDM policies.

Azure Cloud sync
Azure Cloud sync

If you need to resynchronize your Microsoft Entra ID users (e.g. if you have new employees or employees who have left your company), you can click the “Synchronisation Microsoft Azure” button again. Users who are no longer part of the “TinyMDM” group to be imported (level 0), will appear as Azure ID: deleted in TinyMDM. You can easily find them in the console via the advanced user search, by checking the Only users with deleted Azure ID box. If a device is enrolled on an obsolete user, consider transferring the device to another user.

Azure Cloud sync