Directory service

You can synchronize users and groups from multiple sources using Microsoft Active Directory (AD) and Microsoft Entra ID. You can also synchronize devices, device groups, public folders, and mailboxes from AD.

Note

The directory synchronization overrides manually-added Sophos Central objects when they duplicate AD objects. Moreover, purging the directory sync object from Sophos Central also removes the associated data, because it was overridden as a directory object.

You can also do the following:

Synchronize devices and device groups from AD and synchronize users and user groups from Microsoft Entra ID for the same domain.
Synchronize Microsoft Entra ID for different domains.
Synchronize AD or Google Directory for different domains in the same forest. You can select multiple child domains within a single forest.
Synchornize AD or Google Directory for multiple forests with the same Sophos Central Admin account.

Before you start

If you want your users to have access to the Sophos Central Self Service Portal (SSP) for self-email administration, you must configure user access first, before setting up directory synchronization. For more information on how to configure user access to the Sophos Central SSP, see User access.

This ensures that new and existing users receive an email notification and gain access to SSP.

Restrictions

You can't synchronize users or email addresses to multiple Sophos Central Admin accounts. Users and email addresses must be unique in each Sophos Central Admin account.
You can't synchronize multiple AD sources from the same domain.
You can't synchronize multiple Microsoft Entra ID or Google Directory sources from the same domain.
You can't synchronize users using AD, Microsoft Entra ID, and Google Directory from the same domain.
You can't synchronize different users, groups, or domains from different directory services, independently.
You can't synchronize Microsoft 365 group (shared) mailboxes using Active Directory Synchronization Setup. You must use Microsoft Entra ID or Google Directory synchronization.
You can't synchronize from more than 25 sources. If you want to do that, use Sophos Central Enterprise.

Trial licenses limit the number of directory objects, such as users, devices, and groups, that you can create or access.

Set up directory sources

You must be an Admin to set up directory sources.

Go to People > Set Up Directory Service.

You can download the latest installer for setting up synchronization with AD. For instructions on setting up AD synchronization, see Set up synchronization with Active Directory.
You can add a Microsoft Entra ID source. Click Add Microsoft Entra ID. For instructions on setting up Microsoft Entra ID synchronization, see Set up synchronization with Microsoft Entra ID.
You can add a Google Directory source. Click Add directory service. For instructions on setting up Google Directory synchronization, see Set up synchronization with Google Directory.

When you've set up synchronization, you can see your directory sources.

Directory sources

You can see the following information for each of your sources.

Name: Click the directory source name to see full details.
Type: Active Directory, Azure Active Directory, or Google Directory.
Domain Name: The domain from where your information is synchronized.
Synchronization schedule: The times at which synchronization happens.
Status: If the last synchronization was successful. It also shows if there are any warnings or errors.

You can view synchronization alerts in Alerts.

You can view synchronization events in Reports > Logs > General Logs > Events.

Review details

To check the details for a directory source, click the name of the source.

You can see the following for an AD source:

The number of users, groups, devices, device groups, public folders, and shared mailboxes imported.
Client hostname and AD version.
If the last synchronization was successful or whether any warnings or errors occurred.
Time of the last synchronization with AD.
Domain from where your information is synchronized.

You can see the following information for a Microsoft Entra ID or a Google Directory source or a Google Directory source:

The number of users and groups imported from Microsoft Entra ID or Google Directory.
If the last synchronization was successful or whether any warnings or errors occurred.
Time of the last synchronization with Microsoft Entra ID or Google Directory.
Synchronization schedule.

About shared mailboxes

Shared mailboxes allow multiple users to access and manage a single email account, which makes it easier to communicate and collaborate within the organization. These mailboxes can be synchronized through Microsoft Entra ID or Google Directory.

Here are some things you should know about shared mailboxes:

Shared mailboxes can function without being tied to a specific user, so the user will have have a mailbox without user-specific details.
Delegated users gain access to the Self Service Portal when managing a shared mailbox.
Users with Self Service Portal access can view the emergency inbox and quarantine summary emails associated with the shared mailbox.
Users assigned to shared mailboxes receive quarantine summary emails for their mailbox and the mailbox to which they're delegated.
If users migrate from on-premises AD (Active Directory) to Microsoft Entra ID, we recommend using our Microsoft Entra ID integration. See Change directory source.

This recommendation helps avoid the unexpected removal of shared mailboxes, which can occur due to differences in directory object types after the conversion. This issue may arise if a customer persists in using our on-premises AD sync.

Manage your sources

For each directory source, you can do the following:

Edit name and description. See Change directory source name.
Manually synchronize. See Synchronize a source.

You can change the configuration for your directory sources. You can purge synchronized data and delete your directory sources.

For help on purging synchronized data and deleting your AD sources, see the following:

For help on purging synchronized data and deleting your Microsoft Entra ID directory sources, see the following:

For help on purging synchronized data and deleting your Google Directory sources, see the following:

Change directory source name

You can change the name and description of a source.

Warning

You must turn on synchronization for your changes to take effect. When you turn on synchronization, you can't undo the changes you've made.

To make changes, do as follows:

Go to My Products > General Settings and click Directory service.
Click the name of the source.
Click Turn off.
Edit the name and description.
Click Turn on.

Synchronize a source

To manually synchronize, do as follows:

Go to My Products > General Settings and click Directory service.
Click the name of the source.
Click Synchronize.