Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=directory-service-Azure-AD-setup

Set up an Azure Application

To synchronize with Microsoft Entra ID, you need some Microsoft Azure information.

To get this information, you must set up an Azure Application. If you already have one, you can skip this section.

Note

We recommend that you check Add an enterprise application and Prerequisites to access the Azure Active Directory reporting API for the latest help. You may also find Microsoft's Quickstart Guide for registering applications useful, see Quickstart: Register an application with the Microsoft identity platform. You should use the instructions given by Microsoft if they differ from ours.

You can only use this Azure Application with Sophos Central, you can't use it with other Sophos products.

You must set up application permissions in your Azure portal to use all of the Microsoft Entra ID synchronization options in Sophos Central. You must set up the following permissions:

  • Microsoft Graph Directory.Read.All

To set up an Azure Application, do as follows:

  1. Create an Azure application.
  2. Create a client secret.
  3. Set up application permissions.
  4. Find your tenant domain information.

Warning

You must follow these instructions exactly.

Create an Azure Application

To create an application, do as follows:

  1. Sign in to your Azure portal.
  2. Click View under Manage Microsoft Entra ID, or click the portal menu, and then click Microsoft Entra ID.
  3. On the Microsoft Entra ID page, click Enterprise applications.

  4. Click New application on the top menu.

    Add a new Azure Application.

  5. Click Create your own application.

    This opens Create your own application.

  6. Enter a name for your application, for example, Sophos Microsoft Entra ID Sync.

  7. Select Register an application to integrate with Microsoft Entra ID (App you're developing).

    New Azure Application example.

  8. Click Create.

    This opens Register an application.

  9. Under Supported account types, select Accounts in this organizational directory only (Single tenant).

    Single tenant app type selected.

  10. Under Redirect URI (optional), select Web and enter https://central.sophos.com .

    Redirect URL.

  11. Click Register.

You now need to create a client secret.

Create a client secret

To create a client secret, do as follows:

  1. Sign in to your Azure portal.
  2. Click View under Manage Microsoft Entra ID, or click the portal menu, and then click Microsoft Entra ID.

  3. Click App registrations.

    Microsoft Entra ID and App registrations.

  4. Select your newly added application. In this example, it's Sophos Microsoft Entra ID Sync.

  5. Make a note of the Application (client) ID.

    You'll need to enter this as the Client ID when you're configuring Microsoft Entra ID Sync in Sophos Central.

    Client Secret for Microsoft Entra ID application.

  6. Click Certificates & secrets, and then click New client secret.

    Certificates and Secrets.

  7. Create a client secret.

  8. Make a note of the information in the Value field and the Expires field.

    The Value field contains your Client secret and the Expires field contains your client secret expiration.

    When configuring the Microsoft Entra ID sync in Sophos Central, use the Value and Expires field values for the client secret and client secret expiration fields, respectively. See Set up synchronization with Microsoft Entra ID.

    Client secret setup.

    Note

    The client secret isn't shown again. You can't recover it later.

You now need to set up your application permissions.

Set up application permissions

Warning

You must follow the instructions in this section exactly.

To set up permissions, do as follows:

  1. Sign in to your Azure portal.
  2. Click View under Manage Microsoft Entra ID, or click the portal menu, and then click Microsoft Entra ID.

  3. Click App registrations.

    Microsoft Entra ID and App registrations.

  4. Select your newly added application. In this example, it's Sophos Microsoft Entra ID Sync.

  5. Click API permissions on the left-hand side and click Add a permission.

    Add a permission option highlighted.

  6. You need to add the Microsoft Graph permission. To do this, do as follows:

    1. Under Request API Permissions, click Microsoft Graph.

    2. Under What type of permissions does your application require?, click Application permissions.

      Microsoft graph Application permissions.

    3. Select Directory from the list.

    4. Under Directory, click Directory.Read.All.

      Microsoft graph Read directory permissions.

  7. Under Grant consent, click Grant admin consent for <account> and then click Yes.

    Grant consent option.

    You should see a message saying that you've granted consent.

You now need to find your tenant domain information and check that you have all the required information for setting up Microsoft Entra ID synchronization in Sophos Central.

Find your tenant domain information

You must make a note of your tenant domain information and check that you have all the Azure information you need. To do this, do as follows:

  1. Go to your Microsoft Entra ID configuration and open Custom domain names. Make a note of your tenant domain.

    This is the primary domain assigned to your Microsoft Entra ID instance. You must enter this in Domain in Sophos Central.

  2. Check you have a note of the following information:

    • Application ID. You need to enter this in Client ID in Sophos Central.
    • The value for your client secret. You need to enter this in Client Secret in Sophos Central.
    • Client secret expiration. You need to enter this in Client secret expiration in Sophos Central.

You're now ready to configure your Microsoft Entra ID settings. You can find help on how to do this in Set up synchronization with Microsoft Entra ID.