Skip to content

Set up directory service

You need a directory service to manage your user groups.

You can configure either Microsoft Entra ID (Azure AD) or Microsoft Active Directory (on-prem) as both your directory service and your identity provider.

When you configure Microsoft Active Directory (on-prem) as your identity provider, you can configure extra security settings. For information about how to sync Microsoft Active Directory (on-prem) user groups to Sophos Central, see Set up synchronization with Active Directory.

In the following instructions, we show you how to set up Microsoft Entra ID (Azure AD).

To use Microsoft Entra ID (Azure AD) to manage your users, you need to create an Microsoft Entra ID (Azure AD) tenant, register the ZTNA application, and set up user groups.

You must already have an Microsoft Entra ID (Azure AD) account.


We recommend that you check Microsoft's latest documentation. See Microsoft Entra ID documentation.

Create an Microsoft Entra ID (Azure AD) tenant

  1. Sign in to your Azure portal.
  2. Select Microsoft Entra ID.

    Azure portal.

  3. In the Microsoft Entra ID (Azure AD) Overview, click Manage tenants.

    Microsoft Entra ID (Azure AD) Overview.

  4. On the Manage tenants page, click Create.

    Click Create on the Manage tenants page.

  5. On the Basics tab, select Azure Active Directory. Then click Next: Configuration.

    Tenant Basics tab in Microsoft Entra ID (Azure AD).

  6. On the Configuration tab, enter your organization and domain name details. Click Next: Review + Create.

    Tenant Configuration tab in Microsoft Entra ID (Azure AD).

  7. On the next page, review your settings and click Create.

    Final screen to create tenant in Microsoft Entra ID (Azure AD).

Register the ZTNA app

  1. Select Manage > App registrations and click New registration.

    App Registrations page in Microsoft Entra ID (Azure AD).

  2. On the Register an application page, do as follows:

    1. Enter a name.
    2. Accept the default supported account type.
    3. Set a Redirect URI. This is the address that authentication responses are sent to. It must include the ZTNA gateway domain name (FQDN). Here's an example URI:


      If you set up a gateway on Sophos Firewall, you must add a new redirect URI in the following format: https://<gateway’s external FQDN>/ztna-oauth2/callback.

      You can add multiple gateway FQDNs. You can also add more FQDNs at any time.

    4. Click Register.

      Register an application page in Microsoft Entra ID (Azure AD).

  3. Select Manage > API permissions. Then click Add a permission.

    API permissions page in Microsoft Entra ID (Azure AD).

  4. In Request API Permissions, give Sophos Central the permissions needed to read user groups. You need to add Microsoft Graph API permissions, as follows.

    Select Delegated permissions and add these:

    • Directory.Read.All
    • Group.Read.All
    • openID
    • profile (profile is in the openID set of permissions)
    • User.Read
    • User.Read.All

    Select Application permissions and add this:

    • Directory.Read.All

    Delegated permissions are for apps running with a signed-in user. Application permissions allow services to run without a user sign-in.

    Request API Permissions page.

  5. On the API Permissions page, you can now see the permissions you've added. Click Grant Admin Consent to give the consent that permissions need.

    Completed API permissions.

  6. On the app's Overview page, make a note of the following details. You'll need them later.

    • Client ID
    • Tenant ID

    App details in Microsoft Entra ID (Azure AD).

  7. Click Certificates and secrets. Create a Client secret, make a note of the Value of the client secret, and store it securely.


    The client secret isn't shown again. You can't recover it later.

    New client secret in Microsoft Entra ID (Azure AD).

Create an Microsoft Entra ID (Azure AD) user group


This section assumes you create a new user group. If you import user groups from the Microsoft O365 portal, you must ensure they're security enabled. Groups created in Microsoft Entra ID (Azure AD) are automatically security enabled.

To create a user group in Microsoft Entra ID (Azure AD), do as follows.

  1. Sign in to the Azure portal using a Global administrator account for the directory.
  2. Select Microsoft Entra ID.
  3. On the Active Directory page, select Groups. Click New Group.

    Groups page in Microsoft Entra ID (Azure AD).

  4. In the New Group dialog, fill out the following fields:

    1. Select a Group type.
    2. Enter a Group name.
    3. Enter a Group email address or accept the default address shown.
    4. Select the Membership type. Use Assigned, which lets you choose specific users and give them unique permissions.
    5. Click Create.

      The group is created.

  5. To check the created user group is security enabled, do as follows:

    1. Go to Manage view > Edit columns.
    2. Under Columns, select Security enabled, then click Save.

      Select security enabled column.

    3. Under the Security enabled column, the status should show as Yes.

  6. On the new group's page, click Members. Then do as follows:

    1. Click Add members.
    2. Search for the users you want and click them.
    3. When you finish, click Select.

    Members tab in Microsoft Entra ID (Azure AD).

    Next, you go to Sophos Central to synchronize user groups with Microsoft Entra ID (Azure AD).