Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=SSO-Azure-AD

Use Microsoft Entra ID as an identity provider

You can use your Microsoft Entra ID instance to verify the identities of your administrators and users when they sign in to Sophos Central products. You need to add Microsoft Entra ID as an identity provider to do this.

If you want to use Microsoft Entra ID as an identity provider, find your Tenant ID for your Microsoft Entra ID instance. We need this to verify your users and administrators.

Requirements

You must verify a domain first. See Verify a federated domain.

You must be a Super Admin.

Warning

If you want to use federated sign-in as your sign-in option, you must ensure that all your administrators and users are assigned to a domain and have an identity provider.

You must do the following before you can add Microsoft Entra ID as an identity provider:

  • Ensure you have a Microsoft Entra ID account with Microsoft. Microsoft Entra ID is Microsoft’s cloud-based identity and access management service.
  • Get consent and authorization from your Microsoft Entra ID admin to use your organization's Microsoft Entra ID with Sophos Central.
  • Ensure you have a Sophos Central account that matches your Microsoft Entra ID account (the emails must match).

Set up Microsoft Entra ID in the Azure portal

To set up Microsoft Entra ID in the Azure portal, you must do as follows:

  1. Create an Azure application.
  2. Set up authentication for the application.
  3. Set up token configuration.
  4. Assign application permissions.

Create an Azure application

To create an Azure application, do as follows:

  1. Sign in to your Azure portal.
  2. Search for App registrations.

  3. In the left pane, click App registrations.

    The App registrations path.

  4. In the right pane, click New registration.

    The New registration option.

  5. Enter a name for the application.

  6. Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).

    Supported account types.

  7. Under Redirect URI (optional), select Single-page application (SPA) and enter https://federation.sophos.com/login/callback.

    Redirect URI option.

  8. Click Register.

Set up authentication for the application

To set up authentication for the application, do as follows:

  1. In the application you created, click Authentication.
  2. Under Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows).
  3. Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).

  4. Click Save.

    Implicit grant and hybrid flows.

Set up token configuration

To set up token configuration, do as follows:

  1. In the application you created, click Token configuration.
  2. Under Optional claims, click Add optional claim.

  3. Under Token type, select ID and then select email.

    Token type options.

  4. Click Add.

  5. In the pop-message, click Turn on the Microsoft Graph email permission.

    Email permission.

  6. Click Add.

Assign application permissions

To assign application permissions, do as follows:

  1. In the application you created, click API permissions.

  2. Under Configured permissions, click Grant admin consent for <account>.

    Aplication permissions.

  3. Click Yes.

A Microsoft Entra ID administrator must grant consent (permission) to use the credentials stored in your organization's Microsoft Entra ID tenant to sign in to Sophos Central.

This consent applies to all Sophos Central products.

When a Microsoft Entra ID administrator gives consent, it means your Microsoft Entra ID tenant trusts Sophos Central, and you can add Microsoft Entra ID as your identity provider.

For help with granting consent in Microsoft Entra ID, see Understanding Microsoft Entra ID application consent experiences.

Find your Tenant ID

You need to know the Tenant ID before you can add Microsoft Entra ID as an identity provider.

To find your Tenant ID, do as follows:

  1. From the Microsoft Azure portal menu, select Microsoft Entra ID. The Overview page appears.

  2. In the Basic information section, find your Tenant ID. This is the ID for your tenant domain.

    You'll need to enter it when you set up Microsoft Entra ID as an identity provider.

To add Microsoft Entra ID as an identity provider, see the following topics:

Set up Microsoft Entra ID as an identity provider in Sophos Central

You can use Microsoft Entra ID as an identity provider.

To do this, do as follows:

  1. In Sophos Central, go to Global Settings > Federated identity providers.

    Federated identity providers path.

  2. Click Add identity provider.

  3. Enter a Name and Description.
  4. Click Type and choose OpenID Connect.
  5. Click Vendor and choose Microsoft Entra ID.
  6. Skip Step A: Setup OpenID Connect because you've already set up Microsoft Entra ID in the Azure portal.

  7. For Step B: Configure OpenID Connect settings, do as follows:

    1. For Client ID, enter the client ID of the application you created in Azure.

      To find this, do as follows:

      1. In the Azure portal, go to App registrations.
      2. Select the application you created.
      3. Copy the ID in Application (client) ID and paste it in Client ID in Sophos Central.

    2. For Issuer, enter the following URL:

      https://login.microsoftonline.com/<tenantId>/v2.0

      Replace <tenantId> with the tenant ID of your Azure instance.

      To find this, do as follows:

      1. In the Azure portal, go to App registrations.
      2. Select the application you created.
      3. Copy the ID in Directory (tenant) ID and replace <tenantId> with it in the URL.

    3. For Authz endpoint, enter the following URL:

      https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/authorize

      Replace <tenantId> with the tenant ID you copied in step b.

    4. For JWKS URL, enter the following URL:

      https://login.microsoftonline.com/<tenantId>/discovery/v2.0/keys

      Replace <tenantId> with the tenant ID you copied in step b.

    Step B: Configure OpenID Connect settings.

  8. Click Select a domain and choose your domain.

    You can add more than one domain. You can only associate a user with one domain.

  9. Select whether you want to turn on IDP-enforced MFA. Select one of the following:

    • IdP enforced MFA
    • No IdP enforced MFA

  10. Click Save.

You can now add Microsoft Entra ID as an identity provider. See Add the identity provider (Entra ID/Open IDC/ADFS).

Configure Microsoft Entra ID to allow users to sign in using UPN

You can configure Microsoft Entra ID to allow users to sign in using their User Principal Name (UPN) if it's different from their email address.

To sign in using your UPN, do as follows:

  1. Users and administrators sign in with their associated email address in Sophos Central.

    Sophos Sign in screen.

  2. They see a screen depending on the selections in Sophos sign-in settings.

    • If you selected Sophos Central Admin or Federated credentials in My Products > General Settings > Sophos sign-in settings, users and administrators can sign in with either option.

      SSO or Sophos Admin email and password sign-in.

      To sign in using UPN, they must do as follows:

      1. Click Sign in with SSO.

        They're shown the Microsoft Azure sign-in page.

      2. Enter the UPN and password.

    • If you've chosen Federated credentials only in My Products > General Settings > Sophos sign-in settings, they're shown the Microsoft Azure sign-in page where they can enter the UPN and password.