Create an Azure AD tenant and register ZTNA

To use Microsoft Azure to manage your users, you need to create an Azure Active Directory (Azure AD) tenant and register the ZTNA application.

You must already have an Azure AD account with an active subscription.

Note We recommend that you check Microsoft's Azure Active Directory documentation for the latest help.
  1. Sign in to your Azure portal.
  2. Select Azure Active Directory.

    Screenshot of Azure portal
  3. In the Azure AD Overview, click Create a tenant.

    Screenshot of the Azure AD Overview
  4. On the Basics tab, select Azure Active Directory. Then click Next: Configuration.

    Screenshot of the tenant Basics tab in Azure AD
  5. On the Configuration tab, enter your organization and domain name details. Click Next: Review + Create.

    Screenshot of the tenant Configuration tab in Azure AD
  6. On the next page, review your settings and click Create.

    Screenshot of final step to create tenant in Azure AD
  7. Select Manage > App registrations and click New registration.

    Screenshot of App Registrations page in Azure AD
  8. On the Register an application page, do as follows:
    1. Enter a name.
    2. Accept the default supported account type.
    3. Set a Redirect URI.

      This is the address that authentication responses are sent to. It must include the ZTNA gateway domain name (FQDN). Here's an example URI: gw.mycompany.net/oauth2/callback

    4. Click Register.

    Screenshot of Register an application page in Azure AD
  9. Select Manage > API permissions. Then click Add a permission.

    Screenshot of API permissions page in Azure AD
  10. In Request API Permissions, give Sophos Central the permissions needed to read user groups. The permissions are as follows:
    • Directory.Read.All (Delegated)
    • Directory.Read.All (Application)
    • Group.Read.All (Delegated)
    • User.Read (Delegated)
    • User.Read.All (Delegated)

    Delegated permissions are for apps running with a signed-in user. Application permissions allow services to run without a user sign-in.


    Screenshot of Request API Permissions page
  11. On the API Permissions page, you can see the permissions you've added. Click Grant Admin Consent to give the consent that permissions need.

    Screenshot of completed API permissions
  12. On the app's Overview page, make a note of the following details. You'll need them later.
    • Client ID
    • Tenant ID

    Screenshot of app details in Azure AD
  13. Click Certificates and secrets. Create a Client secret, make a note of it, and store it securely.
    Warning The client secret isn't shown again. You can't recover it later.

    Screenshot of new client secret in Azure AD

Next, you create an Azure AD user group.