Set up multi-factor authentication for Sophos Secure Email

When you set up multi-factor authentication (MFA) for Sophos Secure Email, users access their Exchange accounts via your organization’s Office 365 sign-in page.

Prerequisites:
  • You’re using Exchange Online.
  • You’ve turned on multi-factor authentication for your organization in Office 365. See Set up multi-factor authentication (Microsoft documentation).
  • Your users have turned on multi-factor authentication on their devices. See Set up 2-step verification for Office 365 (Microsoft documentation).

To set up multi-factor authentication for Sophos Secure Email, do as follows:

  1. Sign in to the Microsoft Azure portal with your Azure administrator account.
  2. Go to App registrations.
  3. Select New registration.
  4. In Name, enter a name for the application, for example Sophos Secure Email.
  5. In Redirect URI, enter the following text:

    sophos://sse/auth

  6. Click Register.
  7. On the application’s overview page, copy the value that is displayed under Application (client) ID.

    You need this value and the values from the following step later in this procedure.

  8. Click Endpoints and then copy the values displayed under OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2).
  9. On the application’s overview page, click API permissions > Add a permission > APIs my organization uses.
  10. Search for the Office 365 Exchange Online API.
  11. Under Delegated permissions, select the following permissions:
    • EAS.AccessAsUser.All (from the EAS section)
    • EWS.AccessAsUser.All (from the EWS section)
  12. Click Add permissions.
  13. Under Configured permissions, click Grant admin consent.

Perform the following steps in Sophos Central Admin:

  1. Go to Mobile.
  2. Go to Policies and edit the Sophos container policy that contains the Work email configuration.

    If you have several policies with a Work email configuration, you must edit them all.

  3. Under OAuth 2.0, configure the following settings:
    OptionDescription

    Turn on OAuth 2.0

    Select this setting.

    Authorization endpoint

    Enter the value displayed in the Azure portal under OAuth 2.0 authorization endpoint (v2).

    Client ID

    Enter the value displayed in the Azure portal under Application (client) ID.

    Redirect URI

    Enter the following text:

    sophos://sse/auth

    Token endpoint

    Enter the value displayed in the Azure portal under OAuth 2.0 token endpoint (v2).

  4. Click Apply and Save.

Sophos Secure Email starts using your organization’s Office 365 authentication the next time the device connects to Sophos Central.