Set up directory service
You need a directory service to manage your user groups.
You can use Microsoft Azure AD or Active Directory. To help you decide which to use, consider the following:
If you use Azure AD, you can also use it as your identity provider.
If you use Active Directory, you'll need a separate identity provider, such as Okta.
In our instructions, we show you how to set up Microsoft Azure AD.
To use Azure AD to manage your users, you need to create an Azure AD tenant, register the ZTNA application, and set up user groups.
You must already have an Azure AD account.
We recommend that you check Microsoft's Azure AD documentation for the latest help.
Create an Azure AD tenant
- Sign in to your Azure portal.
Select Azure Active Directory.
In the Azure AD Overview, click Create a tenant.
On the Basics tab, select Azure Active Directory. Then click Next: Configuration.
On the Configuration tab, enter your organization and domain name details. Click Next: Review + Create.
On the next page, review your settings and click Create.
Register the ZTNA app
Select Manage > App registrations and click New registration.
On the Register an application page, do as follows:
- Enter a name.
- Accept the default supported account type.
Set a Redirect URI.
This is the address that authentication responses are sent to. It must include the ZTNA gateway domain name (FQDN). Here's an example URI: gw.mycompany.net/oauth2/callback
Select Manage > API permissions. Then click Add a permission.
In Request API Permissions, give Sophos Central the permissions needed to read user groups. The permissions are as follows:
- Directory.Read.All (Delegated)
- Directory.Read.All (Application)
- Group.Read.All (Delegated)
- openID (Delegated)
- profile (Delegated)
- User.Read (Delegated)
- User.Read.All (Delegated)
Delegated permissions are for apps running with a signed-in user. Application permissions allow services to run without a user sign-in.
On the API Permissions page, you can see the permissions you've added. Click Grant Admin Consent to give the consent that permissions need.
On the app's Overview page, make a note of the following details. You'll need them later.
- Client ID
- Tenant ID
Click Certificates and secrets. Create a Client secret, make a note of it, and store it securely.
The client secret isn't shown again. You can't recover it later.
Create an Azure AD user group
This section assumes you create a new user group. If you use an existing group, ensure it's security enabled in Azure AD (the Group type should be shown as Security). Groups created from the Azure portal are security enabled, but groups created from the Office365 portal aren't.
To create a user group in Azure AD, do as follows.
- Sign in to the Azure portal using a Global administrator account for the directory.
- Select Azure Active Directory.
On the Active Directory page, select Groups. Click New Group.
In the New Group dialog, fill out the fields.
- Select a Group type. In this example, Microsoft 365.
- Enter a Group name.
- Enter a Group email address or accept the default address shown.
- Select the Membership type. Use Assigned, which lets you choose specific users and give them unique permissions.
The group is created.
On the new group's page, click Members. Then do as follows:
- Click Add members.
- Search for the users you want and click them.
- When you finish, click Select.
Next, you go to Sophos Central to synchronize user groups with Azure AD.