Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=directory-service-AD-to-AzureAD

Migrate to Microsoft Azure AD

You can change how you synchronize users and user groups with Sophos Central. You can change your directory source from Active Directory (AD) to Microsoft Azure AD.

Before you change your directory source, you need to know that we synchronize different information from Microsoft Azure AD than from AD. See Directory service.

You can use either AD or Microsoft Azure AD as your directory source for users and user groups in a domain.

Requirements

Before you change directory sources, you must have the following:

Recommendations

Before you change directory sources, we recommend you do as follows:

  • Read the directory service restrictions. See Restrictions.

  • Make sure your users match in your directory sources.

    This is because we'll remove any users and mailboxes synchronized from AD if they aren't also in your Microsoft Azure AD source. We only remove users that don't match for the domain you're transferring from AD to Microsoft Azure AD. We keep all other users.

  • Set up an Azure Application if you need to. See Set up an Azure Application.

Restrictions

Before you change directory sources, you need to know the following:

  • If you want to use a directory source to manage devices and device groups, you can only use AD. Microsoft Azure AD doesn't support devices and device groups.

    You can use AD for devices and device groups and Microsoft Azure AD for users and user groups for the same domain.

  • If you want to use a directory source to manage public email folders, you can only use AD. Microsoft Azure AD doesn't support public email folders.

    You can only synchronize public email folders from AD if you also synchronize users and user groups. You can only use AD to manage the users and user groups in the same domain as your public email folders.

  • If you want to manage shared mailboxes in Microsoft Azure AD, you must create new ones. You can't manage your existing shared mailboxes in Microsoft Azure AD.

    We don't show associated users for shared mailboxes managed in Microsoft Azure AD. After you change sources, we'll stop showing any associated users for your existing shared mailboxes. See Mailboxes

Change directory source

If you don't have devices and device groups and want to use Microsoft Azure AD to manage your users and user groups, follow the instructions in Use Microsoft Azure AD only.

If you want to use Microsoft Azure AD to manage your users and user groups and to use AD for your devices and device groups, follow the instructions in Use Microsoft Azure AD and AD.

Use Microsoft Azure AD only

To use Microsoft Azure as your only directory source for your domain, do as follows:

  1. Synchronize with Active Directory. See Set up synchronization with Active Directory.
  2. Check that your data has synchronized correctly in Sophos Central.
  3. Go to Global Settings > Directory service and select your AD source.
  4. Turn off your AD source.
  5. Go to Global Settings > Directory service and click Add Azure AD.
  6. Set up synchronization with your Microsoft Azure AD source. See Set up synchronization with Azure AD.
  7. Synchronize with Microsoft Azure AD, and check your data has synchronized correctly. See What happens after you change source.
  8. Uninstall Active Directory Synchronization Setup.

Use Microsoft Azure AD and AD

To use both Microsoft Azure AD and AD, do as follows:

  1. Synchronize with Active Directory. See Set up synchronization with Active Directory.
  2. Check that your data has synchronized correctly in Sophos Central.
  3. Go to Global Settings > Directory service and select your AD source.

  4. Change your filters so that you're synchronizing devices and device groups only. See Devices and device groups.

    AD Filters set to filter only synchronize devices and device groups.

  5. Turn off your AD source.

  6. Go to Global Settings > Directory service and click Add Azure AD.
  7. Set up synchronization with your Microsoft Azure AD source. See Set up synchronization with Azure AD.
  8. Synchronize with Microsoft Azure AD, and check your users, user groups, and shared mailboxes have synchronized correctly. See What happens after you change source.
  9. Go to Global Settings > Directory service and select your AD source.
  10. Turn on your AD source.
  11. Synchronize with Active Directory and check that your devices and device groups have synchronized correctly. See What happens after you change source.

What happens after you change source

If you change your source for users and user groups from AD to Microsoft Azure AD, the information we synchronize changes. This can change the information that we show in Sophos Central. It also changes how we update information.

If you use Microsoft Azure AD as your only source for a domain, we do as follows:

  • Synchronize your users from Microsoft Azure AD. The information we show depends on how closely the data in Microsoft Azure AD matches the data in AD. See Users.
  • Synchronize your user groups from Microsoft Azure AD. The information we show depends on how closely the data in Microsoft Azure AD matches the data in AD. See User groups.
  • Stop updating the shared mailboxes synchronized from AD. We keep your shared mailboxes. We create and update any shared mailboxes you have in Microsoft Azure AD. See Mailboxes.
  • Stop updating any public email folders. We keep your folders.
  • Stop updating your devices and device groups. We keep your devices and device groups.

If you use Microsoft Azure AD and AD as your sources for a domain, we do as follows:

  • Synchronize your users from Microsoft Azure AD. The information we show depends on how closely the data in Microsoft Azure AD matches the data in AD. See Users.
  • Synchronize your user groups from Microsoft Azure AD. The information we show depends on how closely the data in Microsoft Azure AD matches the data in AD. See User groups.
  • Stop updating the shared mailboxes synchronized from AD. We keep your shared mailboxes. We create and update any shared mailboxes you have in Microsoft Azure AD. See Mailboxes.
  • Stop updating any public email folders. We keep your folders.
  • Synchronize and update your devices and device groups from AD.

Users

This information only applies to the domain you're now managing in Microsoft Azure AD.

We synchronize users as follows:

  • If we match an existing user, we update them with the information in Microsoft Azure AD. We retain any mailboxes associated with the user.
  • If we don't match an existing user, we delete them and their associated mailboxes.
  • We create new users and their associated mailboxes.

User groups

This information only applies to the domain you're now managing in Microsoft Azure AD.

We synchronize user groups as follows:

  • If we match an existing group, we update it with all the information in Microsoft Azure AD.
  • If we don't match an existing group, we retain the group and stop updating it.
  • We create new user groups.

Mailboxes

This information only applies to the domain you're now managing in Microsoft Azure AD.

We synchronize shared mailboxes as follows:

  • We keep any existing shared mailboxes. They don't have any associated users. We don't show them on any user pages. We show the shared mailboxes in Mailboxes. We show the data from the last synchronization with AD.
  • We show any new shared mailboxes as a user in Users, and we show them in Mailboxes. They don't have any associated users.