Skip to content

Set up an Azure Application

To synchronize with Microsoft Entra ID, you need some Microsoft Azure information.

To get this information, you need to set up an Azure Application. You can skip this section if you have one set up.

Note

We recommend that you check Add an enterprise application and Prerequisites to access the Azure Active Directory reporting API for the latest help. You may also find Microsoft's Quickstart Guide for registering applications useful, see Quickstart: Register an application with the Microsoft identity platform. You should use the instructions given by Microsoft if they differ from ours.

You can only use this Azure Application with Sophos Central, you can't use it with other Sophos products.

You need to set up application permissions in your Azure portal so that you can use all of the Microsoft Entra ID synchronization options in Sophos Central. You need to set up the following permissions:

  • Microsoft Graph Directory.Read.All

To set up an Azure Application, do as follows:

  1. Create an Azure application.
  2. Create a client secret.
  3. Set up application permissions.
  4. Find your tenant domain information.

Warning

You must follow these instructions exactly.

Create an Azure Application

To create an application, do as follows:

  1. Sign in to your Azure portal.
  2. Click View under Manage Microsoft Entra ID, or click the portal menu, and then click Microsoft Entra ID.
  3. On the Microsoft Entra ID page, click Enterprise applications.
  4. Click New application on the top menu.

    Add a new Azure Application.

  5. Click Create your own application.

    This opens Create your own application.

  6. Enter a name for your application, for example, Sophos Microsoft Entra ID Sync.

  7. Select Register an application to integrate with Microsoft Entra ID (App you're developing).

    Screenshot showing example new Azure App.

  8. Click Create.

    This opens Register an application.

  9. Under Supported account types, select Accounts in this organizational directory only (Single tenant).

    Screenshot showing single tenant app type selected.

  10. Under Redirect URI (optional), select Web and enter https://central.sophos.com .

    Screenshot showing the redirect URL.

  11. Click Register.

You now need to create a client secret.

Create a client secret

To create a client secret, do as follows:

  1. Sign in to your Azure portal.
  2. Click View under Manage Microsoft Entra ID, or click the portal menu, and then click Microsoft Entra ID.
  3. Click App registrations.

    Screenshot showing Microsoft Entra ID and App registrations.

  4. Select your newly added application. In this example, it's Sophos Microsoft Entra ID Sync.

  5. Make a note of the Application (client) ID.

    You'll need to enter this as the Client ID when you're configuring Microsoft Entra ID Sync in Sophos Central.

    Screenshot showing Client Secret for Microsoft Entra ID application.

  6. Click Certificates & secrets, and then click New client secret.

    Screenshot showing Certificates and Secrets.

  7. Create a client secret.

  8. Make a note of the information in the Value field and the Expires field.

    The Value field contains your Client secret and the Expires field contains your client secret expiration.

    When configuring the Microsoft Entra ID sync in Sophos Central, use the Value and Expires field values for the client secret and cient secret expiration fields, respectively. See Set up synchronization with Microsoft Entra ID.

    Screenshot showing client secret setup.

    Note

    The client secret isn't shown again. You can't recover it later.

You now need to set up your application permissions.

Set up application permissions

Warning

You must follow the instructions in this section exactly.

To set up permissions, do as follows:

  1. Sign in to your Azure portal.
  2. Click View under Manage Microsoft Entra ID, or click the portal menu, and then click Microsoft Entra ID.
  3. Click App registrations.

    Screenshot showing Microsoft Entra ID and App registrations.

  4. Select your newly added application. In this example, it's Sophos Microsoft Entra ID Sync.

  5. Click API permissions on the left-hand side and click Add a permission.

    Screenshot showing the Add a permission option highlighted.

  6. You need to add the Microsoft Graph permission. To do this, do as follows:

    1. Under Request API Permissions, click Microsoft Graph.
    2. Under What type of permissions does your application require?, click Application permissions.

      Microsoft graph Application permissions.

    3. Select Directory from the list.

    4. Under Directory, click Directory.Read.All.

      Microsoft graph Read directory permissions.

  7. Under Grant consent, click Grant admin consent for <account> and then click Yes.

    Screenshot showing the grant consent option.

    You should see a message saying that you've granted consent.

You now need to find your tenant domain information and check that you have all the required information for setting up Microsoft Entra ID synchronization in Sophos Central.

Find your tenant domain information

You need to make a note of your tenant domain information and check that you have all the Azure information you need. To do this, do as follows:

  1. Go to your Microsoft Entra ID configuration and open Custom domain names. Make a note of your tenant domain.

    This is the primary domain assigned to your Microsoft Entra ID instance. You need to enter this in Domain in Sophos Central.

  2. Check you have a note of the following information:

    • Application ID. You need to enter this in Client ID in Sophos Central.
    • The value for your client secret. You need to enter this in Client Secret in Sophos Central.
    • Client secret expiration. You need to enter this in Client secret expiration in Sophos Central.

You're now ready to configure your Microsoft Entra ID settings. You can find help on how to do this in Set up synchronization with Microsoft Entra ID.