Federated sign-in

You can allow your administrators and users to sign in to Sophos Central and Sophos Central Self Service Portal using their Sophos Central Admin sign-in credentials, their Microsoft sign-in credentials, or both.

Turning on federated sign-in in Sophos Central Admin also turns it on in the Sophos Central Self Service Portal.

Note Sophos Central is not supported on mobile devices.

You can also add custom sign-in rules for specific administrators.

Go to Overview > Global Settings > Federated Sign-in.

Using Microsoft credentials to sign in

Before an administrator or user can sign in using their Microsoft credentials, the following must happen:

  • An Azure AD administrator must grant consent (permission) to use the credentials stored in your organization's Azure AD tenant to sign in to Sophos Central.

    This consent applies to Sophos Central Admin, Sophos Central Enterprise, and the Sophos Central Self Service Portal.

    Once an Azure AD administrator gives consent, it means your Azure AD tenant trusts Sophos Central and your administrators and users can sign in with their Microsoft credentials.

For help with granting consent in Azure see Understanding Azure AD application consent experiences.

  • You need to turn on federated sign-in. You need to choose which credentials your administrators and users use to sign in. See Turn on federated sign-in.

If you want to allow your administrators and users to use their Microsoft credentials only to sign in, you also need to know the following:

  • What happens if you change to using Sophos Central Admin sign-in credentials only?

    Administrators and users won't have a password set up to validate against. They need to use "Reset Password" to set a new password and then sign in.

  • Can administrators and users reset their passwords if you turn on Sign in with Microsoft credentials only?

    No, they won't receive reset password emails.

Note Your administrators and users can sign in using their Microsoft credentials if the email address associated with their Sophos Central Admin credentials matches their Microsoft sign-in credentials.

For more help on using Azure AD Federation and Sophos Central Admin see Sophos Central Azure AD Federation and FAQ on Sophos Central Azure AD Federation.

Sophos Central Enterprise administrators and federated sign-in

Note If an administrator is also an Enterprise admin they can't use the same Microsoft sign-in credentials to sign in to both consoles.

If you create an Enterprise admin from an existing Sophos Central Admin account the federated sign-in credentials and settings for that account are used for the Sophos Central Enterprise account.

Sign in options

Restriction These features might not be available for all customers yet.

When your users and administrators sign in, what they see depends on the sign-in option you've chosen.

The first screen they're shown asks them for the email address they use to sign in.


Sophos Sign in screen

The next screen they're shown depends on the sign-in option you've chosen.

  • If you've chosen to allow them to sign in with their Sophos Central Admin email and password only, they're shown a screen that allows them to sign in with those credentials.

    Sophos ID sign-in screen
  • If you have chosen to allow them to use Microsoft credentials to sign in they're shown a screen that allows them to sign in with their Microsoft credentials or their Sophos Central Admin email and password.

    Sophos ID or Microsoft sign-in screen

    Your administrators and users see this screen even if you've chosen to let them sign in with their Microsoft credentials only.