Set up an Azure Application

To synchronize with Azure AD, you need some Microsoft Azure information.

To get this information, you need to set up an Azure Application. You can skip this section if you have one set up.

Note We recommend that you check Add an enterprise application and Prerequisites to access the Azure Active Directory reporting API for the latest help. You may also find Microsoft's Quickstart Guide for registering applications useful, see Quickstart: Register an application with the Microsoft identity platform. You should use the instructions given by Microsoft if they differ from ours.

You need to set up two application permissions in your Azure portal so that you can use all of the Azure AD synchronization options in Sophos Central. You need to set up the following permissions:

  • Azure Active Directory Graph Directory.Read.All
  • Microsoft Graph Directory.Read.All

If you've set up your Azure Application using only the Azure Active Directory Graph Directory.Read.All permission and you want to make changes to your Azure AD synchronization settings, you need to add the Microsoft Graph Directory.Read.All permission. You can find help on how to do this in Set up application permissions.

To set up an Azure Application, do as follows:

  1. Create an Azure application.
  2. Create a client secret.
  3. Set up application permissions.
  4. Find your tenant domain information.

Create an Azure Application

To create an application, do as follows:

  1. Sign in to your Azure portal.
  2. Click Azure Active Directory.
  3. On the Azure Active Directory page, click Enterprise applications.
  4. Click New application on the top menu.

    Add a new Azure Application
  5. Click Create your own application.

    This opens Create your own application.

  6. Enter a name for your application, for example, Sophos Azure AD Sync.
  7. Select Register an application to integrate with Azure AD (App you're developing).

    Screenshot showing example new Azure App
  8. Click Create.

    This opens Register an application.

  9. Under Supported account types, select Accounts in this organizational directory only (Single tenant).

    Screenshot showing single tenant app type selected.
  10. Under Redirect URI (optional), select Web and enter https://central.sophos.com .

    Screenshot showing the redirect URL
  11. Click Register.

You now need to create a client secret.

Create a client secret

To create a client secret, do as follows:

  1. Go to Azure Active Directory and click App registrations.

    You must go to the top level in your Azure portal and then select Azure Active Directory. You can then select App registrations.


    Screenshot showing Azure Active Directory and App registrations.
  2. Select your newly added application, in this example Sophos Azure AD Sync.
  3. Make a note of the Application ID. You'll need this information when you're configuring Azure AD Sync in Sophos Central.
  4. Click Certificates & secrets on the left-hand side and click New client secret.

    Screenshot showing Certificates and Secrets
  5. Create a client secret.

    Screenshot showing client secret setup.
  6. Make a note of the client secret and the client secret expiration. Store them securely.

    You need the information in the Value field for the client secret.

    Note The client secret isn't shown again. You can't recover it later.

You now need to set up your application permissions.

Set up application permissions

To set up permissions do as follows:

  1. Optional You must be in App registrations to set up permissions. Go to Azure Active Directory and click App registrations.

    You must go to the top level in your Azure portal and then select Azure Active Directory. You can then select App registrations.


    Screenshot showing Azure Active Directory and App registrations.
  2. Click API permissions on the left-hand side and click Add a permission.

    Screenshot showing the Add a permission option highlighted.
  3. Click APIs my organization uses and click Windows Azure Active Directory.

    Azure API permissions
  4. Select the (legacy) Azure Active Directory Graph > Directory.Read.All permission.
  5. Click Application permissions, and do as follows:
    1. Under Directory, click Directory.Read.All.
    2. Click Add permissions.

    Azure API Permissions Request
  6. Now you need to add the Microsoft Graph permission. To do this, do as follows:
    1. Click Add a permission.
    2. Under Request API Permission, click Microsoft Graph.
    3. Under What type of permissions does your application require?, click Application permissions.
      Microsoft graph Application permissions
    4. Select Directory from the list.
    5. Under Directory, click Directory.Read.All.
      Microsoft graph Read directory permissions
  7. For each set of permissions, under Grant consent, click Grant admin consent for <account> and then click Yes.

    You should see a message saying that you've granted consent for each of your permissions.

    Azure Application with permissions granted

You now need to find your tenant domain information and check that you have all the required information for setting up Azure AD synchronization in Sophos Central.

Find your tenant domain information

You need make a note of your tenant domain information and check that you have all the Azure information you need. To do this, do as follows:

  1. You need your Tenant domain. This is the primary domain assigned to your Azure AD instance. Go to your Azure AD configuration and open Custom domain names. Make a note of your tenant domain.
  2. You need to check you have all of the information you require. Check you have a note of the following information:
    • Tenant domain. You need to enter this in Tenant domain in Sophos Central.
    • Application ID. You need to enter this in Client ID in Sophos Central.
    • The value for your client secret. You need to enter this in Application Key in Sophos Central.
    • Client secret expiration. You need to enter this in Client secret expiration in Sophos Central.

You're now ready to configure your Azure AD settings. You can find help on how to do this in Set up synchronization with Azure AD.