Skip to content

Configure Microsoft Entra ID to allow users to sign in using UPN

This page provides an alternative method for configuring Azure IDP. You must follow the instructions on this page if you require your end users to authenticate with a User Principal Name (UPN) that's different from their primary email address.

If your users' email addresses are the same as their UPNs, see Add the identity provider (Entra ID/Open IDC/ADFS).

The key steps are as follows:

  1. Set up Microsoft Entra ID in the Azure portal.
  2. Add Microsoft Entra ID as an identity provider in Sophos Central.

Set up Microsoft Entra ID in the Azure portal

To set up Microsoft Entra ID in the Azure portal, the key steps are as follows:

  1. Create an Azure application.
  2. Set up authentication for the application.
  3. Set up token configuration.
  4. Assign application permissions.

See the following sections for more details.

Create an Azure application

To create an Azure application, do as follows:

  1. Sign in to your Azure portal.
  2. In the Manage menu, click App registrations.

    The App registrations path.

  3. On the App registrations page, click New registration.

    The New registration option.

  4. Enter a name for the application.

  5. Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).

    Suppoted account types.

  6. Under Redirect URI (optional), select Single-page application (SPA) and enter the following URL: https://federation.sophos.com/login/callback.

    Redirect URI option.

  7. Click Register.

Set up authentication for the application

To set up authentication for the application, do as follows:

  1. In the application you created, click Authentication.
  2. Under Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows).
  3. Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).
  4. Click Save.

    Implicit grant and hybrid flows.

Set up token configuration

To set up token configuration, do as follows:

  1. In the application you created, click Token configuration.
  2. Under Optional claims, click Add optional claim.
  3. Under Token type, select ID and then select email.

    Token configuration.

  4. Select Add.

  5. In Add optional claim, select Turn on the Microsoft Graph email permission, and click Add.

    Email permission.

Assign application permissions

To assign application permissions, do as follows:

  1. In the application you created, click API permissions.
  2. Under Configured permissions, click Grant admin consent for <account>.

    Application permissions.

  3. Click Yes.

Add Microsoft Entra ID as an identity provider in Sophos Central

You can add Microsoft Entra ID as an identity provider.

To add Microsoft Entra ID as an identity provider, do as follows:

  1. In Sophos Central, go to Global Settings > Federated identity providers.
  2. Click Add identity provider.
  3. Enter a Name and Description.
  4. Click Type and choose OpenID Connect.
  5. Click Vendor and choose Microsoft Entra ID.
  6. If you've already set up Microsoft Entra ID in the Azure portal, skip Step A: Setup OpenID Connect.
  7. For Step B: Configure OpenID Connect settings, do as follows:

    1. For Client ID, enter the client ID of the application you created in Azure, as follows:

      1. In the Azure portal, go to App registrations.
      2. Select the application you created.
      3. Copy the ID in Application (client) ID and paste it in Client ID in Sophos Central.
    2. For Issuer, enter the following URL:

      https://login.microsoftonline.com/<tenantId>/v2.0

      Replace the existing tenant ID with the tenant ID of your Azure instance.

      To find the tenant ID, do as follows:

      1. In the Azure portal, go to App registrations.
      2. Select the application you created.
      3. The value of Directory (tenant) ID is the tenant ID of your Azure instance.
    3. For Authz endpoint, enter the following URL:

      https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/authorize

      Replace the existing tenant ID with the tenant ID you copied earlier.

    4. For JWKS URL, enter the following URL:

      https://login.microsoftonline.com/<tenantId>/discovery/v2.0/keys

      Replace the existing tenant ID with the tenant ID you copied earlier.

    Step B: Configure OpenID Connect settings.

  8. Click Select a domain and choose your domain.

    You can add more than one domain, but you can only associate a user with one domain.

  9. Choose whether to enable IDP-enforced MFA by selecting one of the following options:

    • IdP enforced MFA
    • No IdP enforced MFA
  10. Click Save.

How users sign in using UPN

The following procedure shows how your end users sign in after you've completed the configuration above.

  1. Users and administrators sign in with their associated email address in Sophos Central.

    Sophos sign-in screen.

  2. The screen they see might differ depending on your selections in Sophos sign-in settings.

    • If you selected Sophos Central Admin or Federated credentials in My Products > General Settings > Sophos sign-in settings, users and administrators can sign in with either option.

      SSO or Sophos Admin email and password sign-in.

      To sign in using UPN, they must do as follows:

      1. Click Sign in with SSO.

        They see the Microsoft Azure sign-in page.

      2. Enter the UPN and password.

    • If you've chosen Federated credentials only in My Products > General Settings > Sophos sign-in settings, they see the Microsoft Azure sign-in page where they can enter their UPN and password.