Set up synchronization with Azure AD

Follow these instructions to synchronize with Azure AD.

Before you start, you need to know the following information about synchronizing with Azure AD.

If you have existing users or groups in Sophos Central, make sure they have an Azure AD match if you want to add, remove, or change their details using Azure AD.

Warning You can get duplicated users under some circumstances. This is because the UPN identifiers synchronized from Azure AD and the endpoint user login don’t match. For more information, see Why are some of my Azure AD sync'd users not linked to an Endpoint login user?.

If synchronization finds an existing user or group Sophos Central that matches a user or group in Azure AD, it adds them to the sync service. You can then manage them with Azure AD and synchronize the changes.

If any users or groups don't have a match, you need to manage them manually in Sophos Central.

Synchronizing with Azure AD doesn't affect existing devices in Sophos Central. You can't add or remove devices using Azure AD and then synchronize the changes.

Restriction You must be an Admin to set up or change directory services. Before you can set up synchronization you need a Microsoft Azure subscription and Azure AD. You must also have the directory.readall permission in Microsoft Azure.

For more information on synchronizing with Azure AD see Join your work device to your organization's network.

Warning Before you proceed, make sure all your Azure AD users have an email address. You need an email address for your users to protect them when using many Sophos Central workflows. For example, if you're using Sophos Email to protect your users, email going to an email address not associated with a user isn't delivered.

To set up synchronization with Azure AD, you need to do as follows:

  1. Select Azure AD as your directory service.
  2. Set up an Azure Application. You can skip this step if you already have one set up.
  3. Set up your synchronization options.
  4. Choose the users and groups you want to sync.
  5. Synchronize Azure AD.

Select directory service

These instructions assume you don't have a directory service set up.

If you want to change directory services, see Change directory service.

To select your directory service, do as follows:

  1. Go to Overview > Global Settings > Directory service.
  2. Click the Getting started link.
  3. Choose the directory service you want to use.
    • AD sync
    • Azure AD sync
  4. Click Next and review and acknowledge the warning.
  5. Click Next.

You can now set up your chosen directory service.

Check you have the correct Microsoft Azure information

To synchronize with Azure AD, you need some Microsoft Azure information.

To get this information you need to set up an Azure Application. If you have one set up, check that you have the information listed in this section.

To set up an Azure Application, follow the instructions in Set up an Azure Application.

Warning You must follow these instructions exactly.

If you've set up your Azure Application using only the Azure Active Directory Graph Directory.Read.All permission and you want to make changes to your Azure AD synchronization settings you need to add the Microsoft Graph Directory.Read.All permission. You can find help on how to do this in Set up an Azure Application.

  1. Make sure you have a note of the following information.
    • Tenant domain
    • Application ID
    • Client secret. You need the value for your client secret.
    • Client secret expiration
  2. If you're missing any of the information you can use the instructions in Set up an Azure Application to get it.

You're now ready to configure your Azure AD settings.

Configure Azure AD settings

To configure Azure AD settings, do as follows:

  1. In Step B: Configure Azure Sync Settings, enter the following information:
    • Client ID. This is the Application ID for your Azure Application.
    • Tenant domain. This is the primary domain assigned to your Azure AD instance.
    • Application Key. This is the value for the client secret for your Azure Application.
    • Client secret expiration. This is the expiration date for your client secret.
  2. Click Test connection to validate your settings.

You can now choose the users and groups you want to sync.

Select users and groups to sync

You can filter the users and groups you synchronize.

If you switch filters you change the users and groups you are synchronizing. Any users and groups not included in the new filter are removed from Sophos Central.

If you have existing users and groups in Sophos Central and you're synchronizing with Azure AD for the first time, we recommend that you select all users and groups. This gives the largest set of users and groups for the sync service to match.

If you have a complex hierarchy of groups and users in Azure AD, we recommend that you add users and groups after filtering them. You can use either Add users by group filter or Add users by user filter to do this.

To select your users and groups, do as follows:

  1. In Step C: Select users and groups to include in the sync, choose which users and groups you want to synchronize with Azure AD. Using filters allows you to synchronize specific users and groups from Azure AD. Choose from the following:
    • All users and groups
    • Add users by group ID
    • Add users by group filter
    • Add users by user filter

    For more information on how to use these filters, see Filter users and groups.

  2. Click Save.

You can now sync with Azure AD.

Sync with Azure AD

Note You can't preview the changes that syncing with Azure AD will make in Sophos Central.

To sync with Azure AD, do as follows:

  1. Click Save and Sync.
  2. Click Settings > Directory service to review the sync status.
  3. Click Users to review the changes to your users.
  4. Click Groups to review the changes to your groups.