Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protected-browser-enforecement-entra-ID

Set up browser enforcement using Entra ID

You can use Entra ID to enforce access to your SaaS applications only through Protected Browser.

Entra ID authenticates all application access requests to login.microsoftonline.com and then routes the traffic through the selected ZTNA region.

This page includes instructions for third-party products. We recommend that you check the vendor's latest documentation.

The key steps are as follows:

  1. Make sure you meet the requirements.
  2. Turn on Entra ID in Protected Browser.
  3. Create a named location in Entra ID.
  4. Create a conditional access policy in Entra ID.

Requirements

  • You must have added Entra ID as a federated identity provider in Sophos Central.
  • You must have added the applications you want to enforce access to Entra ID.
  • You must have configured SAML in Entra ID to authenticate users.
  • The user performing browser enforcement in Entra ID must be an admin.

Turn Entra ID on in Protected Browser

To turn Entra ID on, do as follows:

  1. In Protected Browser, go to My Products > Protected Browser > Settings.
  2. Turn Entra ID on.
  3. Under Data plane region, select the ZTNA data plane region you want to use for the authentication.

  4. Click Copy IPs list to copy the IP addresses of the ZTNA dataplane region.

    You need these IP addresses to create a named location in Entra ID.

Create a named location in Entra ID

To create a named location, do as follows:

  1. In Entra ID, go to Enterprise applications > Conditional access.
  2. Select Named locations and click IP ranges location.
  3. Enter a name for the location.
  4. Click the plus icon plus icon. and paste the IP addresses of the ZTNA dataplane region you copied from Protected Browser.
  5. Click Create.

Create a conditional policy

To create a conditional policy, do as follows:

  1. In Entra ID, go to Enterprise applications > Conditional access.
  2. Select Policies and click New policy.
  3. Enter a name for the policy.
  4. Go to Users > Include > Select users and groups, click Users and groups, and select the users or groups to whom you want to grant access to your applications.
  5. Go to Target resources > Include, click Select resources, and select the applications whose access you want to enforce through Protected Browser.

  6. Go to Network and under Configure, click Yes.

    Configure the following settings:

    1. Under Include, select Any network or location.
    2. Under Exclude, select Selected network and locations, and select the named location you created.

  7. To block all other IP addresses, go to Grant, select Block access and click Select.

  8. Under Enable policy, click On.
  9. Click Create.