Set up synchronization with Active Directory
Some features might not be available for all customers yet.
You can synchronize users, devices, and groups. You can also synchronize public folders and mailboxes.
You can synchronize different domains in the same forest. You can select multiple child domains within a single forest.
You also can synchronize multiple forests with a Sophos Central Admin account. You need to know the following:
- We recommend that you synchronize a forest with one Sophos Central Admin account. If you synchronize a forest with multiple accounts it can result in unpredictable behavior in Sophos Central Admin.
- Users and email addresses must be unique in each forest. If you have duplicate objects, we'll update them with information from each forest during synchronization. Synchronization doesn't merge data. This means that we can show inconsistent information for the duplicate forest objects in Sophos Central Admin.
You can also do the following:
-
Synchronize devices and device groups from Active Directory (AD) and synchronize users and user groups from Microsoft Entra ID for the same domain.
Warning
By default, disabled user accounts and mailboxes, which include shared mailboxes, aren't synchronized. Without an active mailbox, you can't send emails through Sophos Central.
Note
If you want to synchronize shared mailboxes and public folders, you must use the AD Sync tool to synchronize your users and user groups if they're in the same domain as your shared mailboxes and public folders.
-
Synchronize from AD and Microsoft Entra ID for different domains.
You can watch the following video for a step-by-step guide on how to set up the AD Sync tool.
Active Directory Synchronization Setup
To synchronize with AD, you need to download and install Active Directory Synchronization Setup (we describe how to install and download it later). Active Directory Synchronization Setup works as follows:
-
It synchronizes active users and user groups.
If a user matches an existing Sophos Central user, Active Directory Synchronization Setup only creates a new user if the existing user was created manually in Sophos Central. It doesn't create a new user if the existing user was synchronized from another directory service. The same applies to groups.
Examples
- You can add an email address from AD to an existing user in Sophos Central that was added using another directory service.
- When you manually create a user named "Bob" on the People page and then add another user named "Bob" from AD, there will be two "Bob" users in Sophos Central.
-
It synchronizes devices and device groups. You can find information on how it matches devices and groups together with other useful information in Device group discovery FAQ.
-
It synchronizes shared mailboxes and public folders.
If you want to synchronize shared mailboxes, you must make sure Exclude disabled user accounts is turned on when you set up your synchronization options. If you turn this option off, you'll get duplicate mailboxes for your shared mailboxes in Sophos Central.
You can set it to run automatically at set times. It supports only the AD synchronization service. It doesn't help you install the Sophos agent software on your users' devices. Use other methods of deployment.
You need to read the following sections and complete any necessary tasks before you set up synchronization with AD:
- Requirements
- Restrictions
- Remove inactive users and devices
If you've already done this, go to Download setup software and validate credentials.
Requirements
Before you can set up synchronization, you need to check the following:
- You must be an Admin to set up directory sources.
- You must have .NET Framework 4.5.2 installed on the computer where you'll run Active Directory Synchronization Setup.
-
You must have Sophos API credentials to synchronize with AD. You need to have these before setting up synchronization, changing your existing configuration, or synchronizing.
You must use the Service Principal Active Directory Sync API role. You should always make sure that access is as specific as possible.
-
You must check all your Active Directory users have an email address.
You need an email address for your users to protect them when using many Sophos Central workflows.
For example, if you're using Sophos Email to protect your users, email going to an email address not associated with a user isn't delivered.
-
You must set up your firewall or proxy to allow some domains. See Domains and ports to allow.
Restrictions
You can't do as follows:
- Synchronize users and user groups using both AD and Microsoft Entra ID from the same domain.
- Synchronize users or email addresses to multiple Sophos Central Admin accounts. Users and email addresses must be unique in each Sophos Central Admin account.
-
Synchronize users to groups from multiple domains. We'll only synchronize users from the domain the group belongs to. Preview and Sync shows all the group members but we won't add users from other domains to the group.
For instance, you have two domains called domainX.com and sub.domainX.com. One of your domains, domainX.com, has a group, g1. The group, g1, contains members from both domains. We'll synchronize your users and associate them with the group g1. We'll only do this for the domain the group is associated with. This means we'll synchronize the domainX.com users and add them to the g1 group. Preview and Sync shows all the group members but we won't add the users from the second domain.
-
Set up more than 1000 filters for a directory object. Filters let you select users and devices to synchronize.
- Set up additional LDAP filters that are longer than 5000 characters.
- Use a domain with a name in which any part is longer than 63 characters, or starts or ends with the '-' or '_' characters.
- Synchronize users separately from user groups. You must synchronize both or neither.
- Synchronize devices separately from device groups. You must synchronize both or neither.
- Synchronize Microsoft 365 group (shared) mailboxes. You must use Microsoft Entra ID synchronization.
- Synchronize shared mailboxes with no delegates.
- Synchronize multiple AD clients from a single domain or sub-domain.
- Synchronize multiple AD devices with a single DNS hostname.
- Keep an inactive user mailbox with mail delegation assigned to an active user mailbox, as the Active Directory sync client won't delete it. Instead, the inactive user mailbox will be converted into a shared mailbox.
Remove inactive users and devices
We recommend removing inactive users and devices from your AD domains. Inactive user accounts and devices are a security risk. This also reduces the size of the file sent to Sophos Central from AD, which speeds up synchronization.
You can find help on finding and removing inactive users as follows:
- How to find and remove old computer accounts in Active Directory
- Regularly check for and remove inactive user accounts in Active Directory
You can use AD filters to stop inactive users from synchronizing with Sophos Central. This can reduce the size of the synchronization file sent to Sophos Central, but it doesn't mitigate the security risks associated with inactive users in your AD domains.
Download setup software and validate credentials
To start setting up synchronization with AD you need to download Active Directory Synchronization Setup and validate your credentials.
These instructions tell you how to set up synchronization with AD. This adds an AD directory source. For help on managing your directory sources, see Manage your sources.
To start setting up, do as follows:
- Go to My Products > General Settings and click Directory service.
- Click the link to download Active Directory Synchronization Setup. Then run it. Active Directory Synchronization Setup starts.
- Enter your Client ID and Client Secret and click Validate credentials.
- Turn on Configure proxy manually if you want to use a proxy, and enter your Proxy address.
-
If you're using a proxy, you can turn on additional authentication. Turn on Enable proxy authentication and enter the following information.
- Proxy user
- Proxy password
-
Click Validate credentials to check your proxy settings.
Next, you need to enter your AD configuration details.
Enter your AD configuration
You can now enter your AD configuration details. You must use the credentials for a user account with read access to the entire Active Directory forest you want to synchronize. To stay secure, use an account with limited rights.
To enter your configuration, do as follows:
-
On the AD Configuration page, enter the details for your Active Directory LDAP server and credentials.
We recommend using a secure LDAP connection, encrypted using SSL, and leaving Use LDAP over an SSL connection (recommended) turned on.
-
If your LDAP environment doesn't support SSL, turn off Use LDAP over an SSL connection (recommended) and change the port number. The port number is usually 636 for SSL connections and 389 for insecure connections.
Microsoft released a security update that changed LDAP channel binding and LDAP signing for Active Directory. Insecure connections on port 389 don't work with the Microsoft security update. See 2020 LDAP channel binding and LDAP signing requirements for Windows.
Next, you need to set up your synchronization options. To do this, click Next and set up your synchronization using the remaining tabs.
You can click Finish on any tab if you've finished setting up.
Set up your synchronization options
You can now set up the filters you want to use to synchronize information from your AD to Sophos Central.
Some features might not be available for all customers yet.
AD Filters
You can choose the types of data you want to synchronize using Active Directory Synchronization Setup.
You choose the data types you want to synchronize by configuring LDAP filters.
For specific help on synchronizing different data types see:
To filter your data, do as follows:
-
On the AD Filters tab, configure an LDAP filter to select the users, devices, and groups to synchronize.
You can enter additional search options (search bases and LDAP query filters) for each domain. You can also specify different options for users and user groups.
Note
Synchronization only creates groups with discovered users or devices, regardless of group filter settings.
Option Description Search bases You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format:
OU=Finance,DC=myCompany,DC=com
LDAP query filters To filter users, for example, by group membership, you can define a user query filter in this format:
memberOf=CN=testGroup, DC=myCompany, DC=com
This query limits user discovery to users belonging to “testGroup”. Note that synchronization discovers all groups to which these discovered users belong if you don't specify a group query filter. If you also want group discovery to be limited to “testGroup”, you can define the following group query filter:
CN=testGroup
You can also use these filters to stop inactive users synchronizing with Sophos Central.
Exclude disabled user accounts Synchronization excludes disabled user accounts by default. To include them, turn off this option.
If you want to synchronize shared mailboxes, you must make sure that this option is turned on. If you don't, you'll get duplicate mailboxes for your shared mailboxes in Sophos Central.
Warning
If you include base distinguished names in your search options or change your filter settings, some of the Sophos Central users and groups created during previous synchronizations may fall outside the search scope. We may delete them from Sophos Central.
You can now set up your synchronization schedule. See Sync Schedule.
Devices and device groups
If you want to synchronize devices and device groups, do as follows:
- Click AD Filters.
- Turn on Sync devices and Sync organizational units.
-
You may want to synchronize your Organizational Units before you synchronize your devices so that you can configure the groups in advance. To do this, turn on Sync organizational units only.
We recommend that you synchronize your Organizational Units before you synchronize your devices for the first time. This allows you to set up your policies and apply them to your groups. You can then synchronize your devices, and we apply your policies to your devices. We apply our default policies to your groups and devices if you don't do this.
If you synchronize your Organizational Units before you synchronize your devices, you must turn on Sync devices and Sync organizational units when you synchronize your devices. This maintains the association between your Organizational Units and devices.
If you want to change these settings after you've synchronized your Organizational Units and your devices, you need to know the following:
- If you turn off Sync organizational units and leave Sync devices turned on and then synchronize, your Organizational Units show as Custom Groups in Sophos Central.
- If you turn off Sync devices and leave Sync organizational units turned on and then synchronize, we don't assign your devices to groups in Sophos Central.
Users and user groups
If you want to synchronize users and user groups, do as follows:
- Click AD Filters.
-
Turn on Sync users and user groups.
This option also synchronizes shared mailboxes.
You can synchronize your users and user groups using Microsoft Entra ID instead. If you want to do this, you can turn off this option.
If you turn off this option, you can't synchronize shared mailboxes or public folders.
Public folders
If you want to synchronize public folders, do as follows:
- Click AD Filters.
-
Turn on Sync users and user groups.
Public folders are mailboxes, so you must turn on this option.
-
Turn on Sync public folders.
Sync Schedule
To set up your synchronization schedule, do as follows:
-
On the Sync Schedule tab, define the times at which synchronization happens.
Note
A background service performs a scheduled synchronization.
-
If you want to synchronize manually and don't want the synchronization to run automatically, click Never. Only sync when manually initiated.
Now you can synchronize with AD.
Synchronize AD
We recommend you manually synchronize with AD when setting up synchronization or changing your settings. This means you can check the changes that will be made during the synchronization.
Manual synchronization takes up to 15 minutes.
To synchronize, do as follows:
-
Click Preview and Sync.
- If you're using LDAP query filters, check that you've configured them appropriately.
-
Review the changes that will be made during synchronization. If you're happy with the changes, click Approve Changes and Continue. Your users, devices, and groups are imported from AD to Sophos Central.
-
Review your users, devices, and groups in Sophos Central.
- Check your users to make sure their devices are protected.
- Check the policies applied to your users and user groups.
- Check your computers and servers for unmanaged devices. These are shown on separate tabs. Protect any unmanaged devices.
- Check the policies applied to your devices and device groups. You can apply policies to the AD device group.
Move Active Directory synchronization servers
If you want to move the server you're using to synchronize with AD, do as follows:
- Stop synchronizing on your current server.
-
Set up Active Directory Synchronization your new server.
If you need help with this, follow the instructions given in the previous sections on this page.
-
Check there are no changes needed to the filters.
- Preview your synchronization to check that your settings are correct.
- Synchronize and check that everything is working as expected.
- Set your synchronization schedule.
- Remove Active Directory Synchronization from your original server.