Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=directory-service-AD-to-AzureAD

Migrate to Microsoft Entra ID

You can change how you synchronize users and user groups with Sophos Central. You can change your directory source from Active Directory (AD) to Microsoft Entra ID.

Before you change your directory source, you need to know that we synchronize different information from Microsoft Entra ID than from AD. See Directory service.

You can use either AD or Microsoft Entra ID as your directory source for users and user groups in a domain.

Requirements

Before you change directory sources, you must have the following:

Recommendations

Before you change directory sources, we recommend you do as follows:

  • Read the directory service restrictions. See Restrictions.

  • Make sure your users match in your directory sources.

    This is because we'll remove any users and mailboxes synchronized from AD if they aren't also in your Microsoft Entra ID source. We only remove users that don't match for the domain you're transferring from AD to Microsoft Entra ID. We keep all other users.

  • Set up an Azure Application if you need to. See Set up an Azure Application.

Restrictions

Before you change directory sources, you need to know the following:

  • If you want to use a directory source to manage devices and device groups, you can only use AD. Microsoft Entra ID doesn't support devices and device groups.

    You can use AD for devices and device groups and Microsoft Entra ID for users and user groups for the same domain.

  • If you want to use a directory source to manage public email folders, you can only use AD. Microsoft Entra ID doesn't support public email folders.

    You can only synchronize public email folders from AD if you also synchronize users and user groups. You can only use AD to manage the users and user groups in the same domain as your public email folders.

  • If you want to manage shared mailboxes in Microsoft Entra ID, you must create new ones. You can't manage your existing shared mailboxes in Microsoft Entra ID.

    We don't show associated users for shared mailboxes managed in Microsoft Entra ID. After you change sources, we'll stop showing any associated users for your existing shared mailboxes. See Mailboxes

Change directory source

If you don't have devices and device groups and want to use Microsoft Entra ID to manage your users and user groups, follow the instructions in Use Microsoft Entra ID only.

If you want to use Microsoft Entra ID to manage your users and user groups and to use AD for your devices and device groups, follow the instructions in Use Microsoft Entra ID and AD.

Use Microsoft Entra ID only

To use Microsoft Entra ID as your only directory source for your domain, do as follows:

  1. Synchronize with Active Directory. See Set up synchronization with Active Directory.
  2. Check that your data has synchronized correctly in Sophos Central.
  3. Go to My Products > General Settings > and click Directory service.
  4. Select your AD source.
  5. Turn off your AD source.
  6. Go to My Products > General Settings > and click Directory service.
  7. Click Add Microsoft Entra ID.
  8. Set up synchronization with your Microsoft Entra ID source. See Set up synchronization with Microsoft Entra ID.
  9. Synchronize with Microsoft Entra ID, and check your data has synchronized correctly. See What happens after you change source.
  10. Uninstall Active Directory Synchronization Setup.

Use Microsoft Entra ID and AD

To use both Microsoft Entra ID and AD, do as follows:

  1. Synchronize with Active Directory. See Set up synchronization with Active Directory.
  2. Check that your data has synchronized correctly in Sophos Central.
  3. Go to My Products > General Settings and click Directory service.
  4. Select your AD source.

  5. Change your filters so that you're synchronizing devices and device groups only. See Devices and device groups.

    AD Filters set to filter only synchronize devices and device groups.

  6. Turn off your AD source.

  7. Go to My Products > General Settings > and click Directory service.
  8. Click Add Microsoft Entra ID.
  9. Set up synchronization with your Microsoft Entra ID source. See Set up synchronization with Microsoft Entra ID.
  10. Synchronize with Microsoft Entra ID, and check your users, user groups, and shared mailboxes have synchronized correctly. See What happens after you change source.
  11. Go to My Products > General Settings > and click Directory service.
  12. Select your AD source.
  13. Turn on your AD source.
  14. Synchronize with Active Directory and check that your devices and device groups have synchronized correctly. See What happens after you change source.

What happens after you change source

If you change your source for users and user groups from AD to Microsoft Entra ID, the information we synchronize changes. This can change the information that we show in Sophos Central. It also changes how we update information.

If you use Microsoft Entra ID as your only source for a domain, we do as follows:

  • Synchronize your users from Microsoft Entra ID. The information we show depends on how closely the data in Microsoft Entra ID matches the data in AD. See Users.
  • Synchronize your user groups from Microsoft Entra ID. The information we show depends on how closely the data in Microsoft Entra ID matches the data in AD. See User groups.
  • Stop updating the shared mailboxes synchronized from AD. We keep your shared mailboxes. We create and update any shared mailboxes you have in Microsoft Entra ID. See Mailboxes.
  • Stop updating any public email folders. We keep your folders.
  • Stop updating your devices and device groups. We keep your devices and device groups.

If you use Microsoft Entra ID and AD as your sources for a domain, we do as follows:

  • Synchronize your users from Microsoft Entra ID. The information we show depends on how closely the data in Microsoft Entra ID matches the data in AD. See Users.
  • Synchronize your user groups from Microsoft Entra ID. The information we show depends on how closely the data in Microsoft Entra ID matches the data in AD. See User groups.
  • Stop updating the shared mailboxes synchronized from AD. We keep your shared mailboxes. We create and update any shared mailboxes you have in Microsoft Entra ID. See Mailboxes.
  • Stop updating any public email folders. We keep your folders.
  • Synchronize and update your devices and device groups from AD.

Users

This information only applies to the domain you're now managing in Microsoft Entra ID.

We synchronize users as follows:

  • If we match an existing user, we update them with the information in Microsoft Entra ID. We retain any mailboxes associated with the user.
  • If we don't match an existing user, we delete them and their associated mailboxes.
  • We create new users and their associated mailboxes.

User groups

This information only applies to the domain you're now managing in Microsoft Entra ID.

We synchronize user groups as follows:

  • If we match an existing group, we update it with all the information in Microsoft Entra ID.
  • If we don't match an existing group, we retain the group and stop updating it.
  • We create new user groups.

Mailboxes

This information only applies to the domain you're now managing in Microsoft Entra ID.

We synchronize shared mailboxes through Microsoft Entra ID as follows:

  • We keep any existing shared mailboxes. They don't have any associated users. We don't show them on any user pages. We show the shared mailboxes in Mailboxes. We show the data from the last synchronization with AD.
  • We show any new shared mailboxes as a user in Users, and we show them in Mailboxes. They don't have any associated users.

Note

If you use on-premises AD sync after a Microsoft Entra ID data migration, shared mailboxes can be removed depending on your configuration.