Set up synchronization with Azure AD
Some features might not be available for all customers yet.
You can synchronize users and groups from Microsoft Azure AD (Azure AD) to Sophos Central. You can synchronize from multiple Azure AD domains.
You can't synchronize Sophos Central with Azure AD if you're using an Office 365 GCC High plan.
These instructions tell you how to set up an Azure AD directory source. For help on managing your directory sources see Manage your sources.
You need to read the following sections and complete any necessary tasks before you set up synchronization with Azure AD:
If you've already done this, go to Add Azure AD.
Before you start, you need to check the following:
Check you have the correct admin role. You must be an Admin to set up directory sources.
Check you have the correct Microsoft Azure setup and permissions. You need the following:
- A Microsoft Azure subscription and Azure AD
directory.readallpermission in Microsoft Azure
- An Azure Application and the information we need to communicate with your Azure AD. See Check you have the correct Microsoft Azure information
Make sure any existing users or groups in Sophos Central have an Azure AD match.
If any users or groups don't have a match, you need to manage them manually in Sophos Central.
Make sure all your Azure AD users have an email address.
You need an email address for your users to protect them when using many Sophos Central workflows.
For example, if you're using Sophos Email to protect your users, email going to an email address not associated with a user isn't delivered.
You can get duplicated users under some circumstances. This is because the UPN identifiers synchronized from Azure AD and the endpoint user login don’t match. For more information, see Why are some of my Azure AD sync'd users not linked to an Endpoint login user?.
For more information on synchronizing with Azure AD, see Join your work device to your organization's network.
Before you set up synchronization, you need to know the following:
- You can't synchronize multiple Azure AD sources from the same domain.
- You can't synchronize users or email addresses to multiple Sophos Central Admin accounts. Users and email addresses must be unique in each Sophos Central Admin account.
- You can't synchronize users from the same domain using Active Directory (AD) and Azure AD.
- You can't add or remove devices using Azure AD and then synchronize the changes.
Check you have the correct Microsoft Azure information
To synchronize with Azure AD, you need some Microsoft Azure information.
To get this information, you need to set up an Azure Application. If you have one set up, check that you have the information listed in this section.
To set up an Azure Application, follow the instructions in Set up an Azure Application.
You must follow these instructions exactly.
If you've set up your Azure Application using only the
Azure Active Directory Graph Directory.Read.All permission and you want to make changes to your Azure AD synchronization settings, you need to add the
Microsoft Graph Directory.Read.All permission. You can find help on how to do this in “Set up an Azure Application”.
Make sure you have a note of the following information.
- Tenant domain
- Application ID
- Client secret. You need the value for your client secret.
- Client secret expiration
If you're missing any of the information, you can use the instructions in “Set up an Azure Application” to get it.
You're now ready to configure your Azure AD settings.
Add Azure AD
To add an Azure AD directory source, do as follows:
- Go to Global Settings > Directory service.
- Click Add Azure AD.
- Enter a Name for the source.
- Enter a description.
- Enter the Domain for the source.
- Click Next.
You can now add your Azure application information.
Configure Azure AD settings
To configure Azure AD settings, do as follows:
In Configure Azure Sync Settings, enter the following information:
- Client ID: This is the Application ID for your Azure Application.
- Domain: This is the primary domain assigned to your Azure AD instance.
- Client secret: This is the value for the client secret for your Azure Application.
- Client secret expiration: This is the expiration date for your client secret.
Click Test connection to validate your settings.
You can now choose the users and groups you want to synchronize.
Select users and groups to synchronize
You can filter the users and groups you synchronize.
If you switch filters, you change the users and groups you're synchronizing. Any users and groups not included in the new filter are removed from Sophos Central.
If you have existing users and groups in Sophos Central and you're synchronizing with Azure AD for the first time, we recommend that you select all users and groups. This gives the largest set of users and groups for the synchronization service to match.
If you have a complex hierarchy of groups and users in Azure AD, we recommend that you add users and groups after filtering them. You can use either Add users by group filter or Add users by user filter.
To select your users and groups, do as follows:
In Select users and groups to include in the synchronization, choose which users and groups you want to synchronize with Azure AD. Using filters allows you to synchronize specific users and groups from Azure AD.
For more information using these filters, see Filter users and groups.
You can now set up your synchronization schedule.
Set up your synchronization schedule
This feature might not be available for all customers yet.
You can choose the frequency at which the synchronization of users and groups should happen.
To set up a schedule, do as follows:
- Go to Synchronization schedule.
Select your schedule from the following:
- Hourly: We synchronize your data based on the hour multiple and your chosen local start time. For example, every 6 hours starting at 02:00 AM.
- Daily: We synchronize your data daily at your selected local time.
- Weekly: We synchronize your data on your selected days at your selected local time.
- Monthly: We synchronize your data on your chosen dates. You can choose up to two dates. Click Add another day to add a second date.
- None: Chose this option when you want to synchronize manually every time.
You can now synchronize with Azure AD.
Synchronize with Azure AD
You can't preview the changes that synchronizing with Azure AD will make in Sophos Central.
To synchronize with Azure AD, do as follows:
- Click Turn on.
Your synchronization status updates.
Click Users to review the changes to your users.
- Click Groups to review the changes to your groups.