Set up synchronization with Active Directory

Follow these instructions to set up synchronization with Active Directory.

Before you can set up synchronization, you need .NET Framework 4 on the computer where you will run the Sophos Central AD Sync Utility.

Warning Before you proceed, make sure all your active directory users are set up correctly with an email address. Users without an email address aren't protected and email going to an email address not tied to a user isn't delivered.

You need to use API credientials to synchronize with Active Directory.

To set up synchronization with Active Directory:

  1. Set up your API credientials for AD sync. To do this, click Settings > API credentials.
  2. Add a new credential. Enter the following information:
    • Credential name
    • Description
  3. Copy the Client ID and Client Secret.
  4. Click Settings > Active Directory Sync, and click the link to download the Sophos Central AD Synchronization Utility installer. Then run it.

    Alternatively, go to the Start menu and click Sophos > Central > AD Sync. If you are running Windows 8 or later, in the Apps list, find the app AD Sync listed under Sophos.

    The Sophos Central AD Sync Utility Setup assistant starts.
  5. In the setup wizard, enter the information required.

    Follow the instructions in the Sophos Central AD Sync Utility Setup assistant.

  6. On the last page of the setup assistant, select Launch Sophos Central AD Sync Utility and click Finish.
  7. In the Active Directory Synchronization Setup utility, on the Sophos Credentials page, enter your Client ID and Client Secret instead of your Sophos Central account credentials.
  8. On the AD Configuration page, specify your Active Directory LDAP server and credentials for a user account that has read access to the entire Active Directory forest with which you want to synchronize. To stay secure, use an account with the least rights that will give this access.

    We require that you use a secure LDAP connection, encrypted via SSL, and leave the Use LDAP over an SSL connection (recommended) checkbox selected. If your LDAP environment doesn’t support SSL, you can't use an insecure connection. As of March 2020 Microsoft plans to release a security update on Windows Update that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory. Usually, the port number is 636 for SSL connections and insecure connections on port 389 won't function with the Microsoft security update.

  9. If you don’t want to synchronize the entire forest, on the AD Filters page, you can specify which domains to include in the synchronization. You can also specify additional search options (search bases and LDAP query filters) for each domain. Distinct options can be specified for users and user groups.
    Note AD Sync will only create groups that have members which include discovered users or devices, regardless of group filter settings.

    Search bases

    You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format:


    LDAP query filters

    To filter users, for example, by group membership, you can define a user query filter in this format:

    memberOf=CN=testGroup, DC=myCompany, DC=com

    The above query limits user discovery to users belonging to “testGroup”. Note that if you don't specify a group query filter, AD Sync will discover all groups to which these discovered users belong. If you wish group discovery to also be limited to “testGroup”, you could define the following group query filter:


    Note If you include base distinguished names in your search options or change your filter settings, some of the existing Sophos Central users and groups created during previous synchronizations may fall outside the search scope and may be deleted from Sophos Central.
  10. On the Sync Schedule page, define the times at which the synchronization will be performed automatically.
    Note A scheduled synchronization is performed by a background service. The AD Sync utility does not need to be running for the scheduled synchronizations to occur.

    If you want to synchronize manually by running the AD Sync utility and don't want the synchronization to run automatically on a regular basis, select Never. Only sync when manually initiated.

  11. Click Finished.
  12. To synchronize immediately, in the AD Sync Utility, click Preview and Sync. Review the changes that will be made during the synchronization. If you are happy with the changes, click Approve Changes and Continue.

    The Active Directory users and groups are imported from the Active Directory to Sophos Central.

    To stop the synchronization in progress, click Stop.