Set up an Azure Application

To synchronize with Azure AD, you need some Microsoft Azure information.

To get this information, you need to set up an Azure Application. You can skip this section if you have one set up.

Note We recommend that you check Add an enterprise application and Prerequisites to access the Azure Active Directory reporting API for the latest help. You may also find Microsoft's Quickstart Guide for registering applications useful, see Quickstart: Register an application with the Microsoft identity platform. You should use the instructions given by Microsoft if they differ from ours.

To set up an Azure Application, do as follows:

  1. Sign in to your Azure portal.
  2. Click Azure Active Directory.
  3. On the Azure Active Directory page, click Enterprise applications.
  4. Click New application on the top menu.

    Add a new Azure Application
  5. Click Create your own application.

    This opens Create your own application.

  6. Enter a name for your application, for example, Sophos Azure AD Sync.
  7. Select Register an application to integrate with Azure AD (App you're developing).

    Screenshot showing example new Azure App
  8. Click Create.

    This opens Register an application.

  9. Under Supported account types, select Accounts in this organizational directory only (Single tenant).

    Screenshot showing single tenant app type selected.
  10. Under Redirect URI (optional), select Web and enter https://central.sophos.com .

    Screenshot showing the redirect URL
  11. Click Register.
  12. Go to Azure Active Directory and click App registrations.

    You must go to the top level in your Azure portal and then select Azure Active Directory. You can then select App registrations.


    Screenshot showing Azure Active Directory and App registrations.
  13. Select your newly added application, in this example Sophos Azure AD Sync.
  14. Make a note of the Application ID. You'll need this information when you're configuring Azure AD Sync in Sophos Central.
  15. Click Certificates & secrets on the left-hand side and click New client secret.

    Screenshot showing Certificates and Secrets
  16. Create a client secret.

    Screenshot showing client secret setup.
  17. Make a note of the client secret and the client secret expiration. Store them securely.

    You need the information in the Value field for the client secret.

    Note The client secret isn't shown again. You can't recover it later.
  18. Click API permissions on the left-hand side and click Add a permission.

    Screenshot showing the Add a permission option highlighted.
  19. Click APIs my organization uses and click Windows Azure Active Directory.

    Azure API permissions
    Note This requires the (legacy)Azure Active Directory Graph > Directory.Read.All permission, not the Microsoft Graph > Directory.Read.All permission.
  20. Click Application permissions, and do as follows:
    1. In Directory, assign Directory.Read.All
    2. Click Add permissions

    Azure API Permissions Request
  21. Under Grant consent, click Grant admin consent for <account> and then click Yes.

    You should see a message saying that you've granted permissions.


    Azure API Permissions granted
  22. You need your Tenant domain. This is the primary domain assigned to your Azure AD instance. Go to your Azure AD configuration and open Custom domain names. Make a note of your tenant domain.
  23. Make sure you have a note of the following information.
    • Tenant domain. You need to enter this in Tenant domain in Sophos Central.
    • Application ID. You need to enter this in Client ID in Sophos Central.
    • Client secret. You need to enter this in Application Key in Sophos Central.
    • Client secret expiration. You need to enter this in Application key expiration in Sophos Central.

You're now ready to configure your Azure AD settings. You can find help on how to do this in Set up synchronization with Azure AD.