Skip to content

Set up synchronization with Active Directory

You can synchronize users, devices, and groups. You can also synchronize public folders and mailboxes.

You can synchronize different domains in the same forest. You can select multiple child domains within a single forest.

You can also do the following:

  • Synchronize devices and device groups from Active Directory (AD) and synchronize users and user groups from Microsoft Azure AD (Azure AD) for the same domain.

    Warning

    If you want to synchronize shared mailboxes and public folders, you must also use AD to synchronize your users and user groups if they're in the same domain as your shared mailboxes and public folders.

  • Synchronize from AD and Azure AD for different domains.

Active Directory Synchronization Setup

To synchronize with AD, you need to download and install Active Directory Synchronization Setup (we describe how to install and download it later). Active Directory Synchronization Setup works as follows:

  • It synchronizes active users and user groups.

    It doesn't duplicate existing users or groups when they match an existing Sophos Central user or group. For example, it can add an email address from AD to an existing user in Sophos Central.

  • It synchronizes devices and device groups. You can find information on how it matches devices and groups together with other useful information in Device group discovery FAQ.

  • It synchronizes shared mailboxes and public folders.

You can set it to run automatically at set times. It supports only the AD synchronization service. It doesn't help you install the Sophos agent software on your users' devices. Use other methods of deployment.

You need to read the following sections and complete any necessary tasks before you set up synchronization with AD:

  • Requirements
  • Restrictions
  • Remove inactive users and devices

If you've already done this, go to Download setup software and validate credentials.

Requirements

Before you can set up synchronization, you need to check the following:

  • You must be an Admin to set up directory sources.
  • You must have .NET Framework 4.5.2 installed on the computer where you'll run Active Directory Synchronization Setup.
  • You must have Sophos API credentials to synchronize with AD. You need to have these before setting up synchronization, changing your existing configuration, or synchronizing.

    You must use the Service Principal Active Directory Sync API role. You should always make sure that access is as specific as possible.

    See API Credentials Management.

  • You must check all your Active Directory users have an email address.

    You need an email address for your users to protect them when using many Sophos Central workflows.

    For example, if you're using Sophos Email to protect your users, email going to an email address not associated with a user isn't delivered.

  • You must set up your firewall or proxy to allow some domains. See Domains and ports to allow.

Restrictions

You can't do the following:

  • Synchronize users and user groups using both AD and Azure AD from the same domain.
  • Synchronize multiple AD forests with a Sophos Central Admin account.
  • Use more than one copy of Active Directory Synchronization Setup for a Sophos Central Admin account.
  • Set up more than one set of synchronization options for AD for a Sophos Central Admin account.

Remove inactive users and devices

We recommend removing inactive users and devices from your AD domains. Inactive user accounts and devices are a security risk. This also reduces the size of the file sent to Sophos Central from AD, which speeds up synchronization.

You can find help on finding and removing inactive users as follows:

You can use AD filters to stop inactive users from synchronizing with Sophos Central. This can reduce the size of the synchronization file sent to Sophos Central, but it doesn't mitigate the security risks associated with inactive users in your AD domains.

See Filter inactive AD users.

Download setup software and validate credentials

To start setting up synchronization with AD you need to download Active Directory Synchronization Setup and validate your credentials.

These instructions tell you how to set up synchronization with AD. This adds an AD directory source. For help on managing your directory sources, see Manage your sources.

To start setting up, do as follows:

  1. Go to Overview > Global Settings > Directory service.
  2. Click the link to download Active Directory Synchronization Setup. Then run it. Active Directory Synchronization Setup starts.
  3. Enter your Client ID and Client Secret and click Validate credentials.
  4. Turn on Configure proxy manually if you want to use a proxy, and enter your Proxy address.
  5. If you're using a proxy, you can turn on additional authentication. Turn on Enable proxy authentication and enter the following information.

    • Proxy user
    • Proxy password
  6. Click Validate credentials to check your proxy settings.

Next, you need to enter your AD configuration details.

Enter your AD configuration

You can now enter your AD configuration details. You must use the credentials for a user account with read access to the entire Active Directory forest you want to synchronize. To stay secure, use an account with limited rights.

To enter your configuration, do as follows:

  1. On the AD Configuration page, enter the details for your Active Directory LDAP server and credentials.

    We recommend using a secure LDAP connection, encrypted using SSL, and leaving Use LDAP over an SSL connection (recommended) turned on.

  2. If your LDAP environment doesn't support SSL, turn off Use LDAP over an SSL connection (recommended) and change the port number. The port number is usually 636 for SSL connections and 389 for insecure connections.

    Microsoft released a security update that changed LDAP channel binding and LDAP signing for Active Directory. Insecure connections on port 389 don't work with the Microsoft security update. See 2020 LDAP channel binding and LDAP signing requirements for Windows.

Next, you need to set up your synchronization options. To do this, click Next and set up your synchronization using the remaining tabs.

You can click Finish on any tab if you've finished setting up.

Set up your synchronization options

You can now set up the filters you want to use to synchronize information from your AD to Sophos Central.

Some features might not be available for all customers yet.

AD Filters

You can choose the types of data you want to synchronize using Active Directory Synchronization Setup.

You choose the data types you want to synchronize by configuring LDAP filters.

For specific help on synchronizing different data types see:

To filter your data, do as follows:

  1. On the AD Filters tab, configure an LDAP filter to select the users, devices, and groups to synchronize.

    You can enter additional search options (search bases and LDAP query filters) for each domain. You can also specify different options for users and user groups.

    Note

    Synchronization only creates groups with discovered users or devices, regardless of group filter settings.

    Option Description
    Search bases You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format:

    OU=Finance,DC=myCompany,DC=com

    LDAP query filters To filter users, for example, by group membership, you can define a user query filter in this format:

    memberOf=CN=testGroup, DC=myCompany, DC=com

    This query limits user discovery to users belonging to “testGroup”. Note that synchronization discovers all groups to which these discovered users belong if you don't specify a group query filter. If you also want group discovery to be limited to “testGroup”, you can define the following group query filter:

    CN=testGroup

    You can also use these filters to stop inactive users synchronizing with Sophos Central.

    Exclude disabled user accounts Synchronization excludes disabled user accounts by default. To include them, turn off this option.

    Warning

    If you include base distinguished names in your search options or change your filter settings, some of the Sophos Central users and groups created during previous synchronizations may fall outside the search scope. We may delete them from Sophos Central.

You can now set up your synchronization schedule. See Sync Schedule.

Devices and device groups

If you want to synchronize devices and device groups, do as follows:

  1. Click AD Filters.
  2. Turn on Sync devices and Sync organizational units.
  3. You may want to synchronize your Organizational Units before you synchronize your devices so that you can configure the groups in advance. To do this, turn on Sync organizational units only.

    We recommend that you synchronize your Organizational Units before you synchronize your devices for the first time. This allows you to set up your policies and apply them to your groups. You can then synchronize your devices, and we apply your policies to your devices. We apply our default policies to your groups and devices if you don't do this.

    If you synchronize your Organizational Units before you synchronize your devices, you must turn on Sync devices and Sync organizational units when you synchronize your devices. This maintains the association between your Organizational Units and devices.

    If you want to change these settings after you've synchronized your Organizational Units and your devices, you need to know the following:

    • If you turn off Sync organizational units and leave Sync devices turned on and then synchronize, your Organizational Units show as Custom Groups in Sophos Central.
    • If you turn off Sync devices and leave Sync organizational units turned on and then synchronize, we don't assign your devices to groups in Sophos Central.

Users and user groups

If you want to synchronize users and user groups, do as follows:

  1. Click AD Filters.
  2. Turn on Sync users and user groups.

    This option also synchronizes shared mailboxes.

    You can synchronize your users and user groups using Azure AD instead. If you want to do this, you can turn off this option.

    If you turn off this option, you can't synchronize shared mailboxes or public folders.

Public folders

If you want to synchronize public folders, do as follows:

  1. Click AD Filters.
  2. Turn on Sync users and user groups.

    Public folders are mailboxes, so you must turn on this option.

  3. Turn on Sync public folders.

    Active Directory Synchronization options

Sync Schedule

To set up your synchronization schedule, do as follows:

  1. On the Sync Schedule tab, define the times at which synchronization happens.

    Active Directory Schedule options

    Note

    A background service performs a scheduled synchronization.

  2. If you want to synchronize manually and don't want the synchronization to run automatically, click Never. Only sync when manually initiated.

Now you can synchronize with AD.

Synchronize AD

We recommend you manually synchronize with AD when setting up synchronization or changing your settings. This means you can check the changes that will be made during the synchronization.

To synchronize, do as follows:

  1. Click Preview and Sync.

    • If you're using LDAP query filters, check that you've configured them appropriately.
  2. Review the changes that will be made during synchronization. If you're happy with the changes, click Approve Changes and Continue. Your users, devices, and groups are imported from AD to Sophos Central.

  3. Review your users, devices, and groups in Sophos Central.

    • Check your users to make sure their devices are protected.
    • Check the policies applied to your users and user groups.
    • Check your computers and servers for unmanaged devices. These are shown on separate tabs. Protect any unmanaged devices.
    • Check the policies applied to your devices and device groups. You can apply policies to the AD device group.

Move Active Directory synchronization servers

If you want to move the server you're using to synchronize with AD, do as follows:

  1. Stop synchronizing on your current server.
  2. Set up Active Directory Synchronization your new server.

    If you need help with this, follow the instructions given in the previous sections on this page.

  3. Check there are no changes needed to the filters.

  4. Preview your synchronization to check that your settings are correct.
  5. Synchronize and check that everything is working as expected.
  6. Set your synchronization schedule.
  7. Remove Active Directory Synchronization from your original server.
Back to top