Set up synchronization with Active Directory

Follow these instructions to set up synchronization with Active Directory.

You need to read the following sections and complete any necessary tasks before you set up synchronization with Active Directory:

  • Before you start
  • Best practice
  • Active Directory Synchronization.

If you've already done this, go to Select Directory Service to begin setup.

Before you start

Before you can set up synchronization, you need to have the following:

  • .NET Framework 4.5.2 installed on the computer where you'll run Active Directory Synchronization Setup.
  • Sophos API credentials to synchronize with Active Directory. You need to set these up before setting up synchronization with Active Directory or changing your existing configuration, or synchronizing with Active Directory.

    Service Principal Super Admin and Active Directory Sync roles can synchronize with Active Directory. If you chose the other API roles synchronization will fail.

    We recommend that you use the Service Principal Active Directory Sync API role. We recommend giving API users and applications only the level of access they need. You should keep their access as specific as possible.

    See API Credentials Management.

Make sure all your Active Directory users have an email address. You need an email address for your users to protect them when using many Sophos Central workflows. For example, if you're using Sophos Email to protect your users, email going to an email address not associated with a user isn't delivered.

Best practice

We recommend that you remove inactive users and devices from your Active Directory domains. Inactive user accounts and devices are a security risk. This also reduces the size of the file sent to Sophos Central from Active Directory. This speeds up synchronization.

You can find help on finding and removing inactive users as follows:

You can use Active Directory filters to stop inactive users from synchronizing with Sophos Central. This can reduce the size of the synchronization file sent to Sophos Central, but it doesn't mitigate the security risks associated with inactive users in your Active Directory domains.

See Filter inactive AD users.

How we synchronize with Active Directory

To synchronize with Active Directory, you need to download and install Active Directory Synchronization Setup (we describe how to install and download it later).

Active Directory Synchronization Setup works as follows:

  • It synchronizes active users and user groups.

    It doesn't duplicate existing users or groups when they match an existing Sophos Central user or group. For example, it can add an email address from Active Directory to an existing user in Sophos Central.

  • It synchronizes devices and device groups. You can find information on how it matches devices and groups together with other useful information in Device group discovery FAQ.

You can set it to run automatically at set times.

It supports only the Active Directory service.

It doesn't help you install the Sophos agent software on your users' devices. Use other methods of deployment with Active Directory.

Restriction You must be an Admin to set up or change directory services.

To set up synchronization with Active Directory, you need to do as follows:

  1. Choose the directory service you want to use.
  2. Download Active Directory Synchronization Setup and validate your credentials.
  3. Enter your Active Directory configuration.
  4. Set up your synchronization options.
  5. Synchronize Active Directory.

Select directory service

These instructions assume you don't have a directory service set up.

If you want to change directory services, see Change directory service.

To select your directory service, do as follows:

  1. Go to Overview > Global Settings > Directory service.
  2. Click the Getting started link.
  3. Choose the directory service you want to use.
    • AD sync
    • Azure AD sync
  4. Click Next and review and acknowledge the warning.
  5. Click Next.

You can now set up your chosen directory service.

Download setup software and validate credentials

Before you validate your credentials check that they are using the correct API role.

Service Principal Super Admin and Active Directory Sync roles can synchronize with Active Directory. If you chose the other API roles synchronization will fail.

Note We recommend that your API credentials use the Service Principal Active Directory Sync API role. You should always make sure that access is as specific as possible.

You need to download Active Directory Synchronization Setup and validate your API credentials before setting up Active Directory synchronization. You also need to validate your proxy server settings if you're using a proxy.

To validate your credentials, do as follows:

  1. Click the link to download Active Directory Synchronization Setup. Then run it.
    Active Directory Synchronization Setup starts.
  2. Enter your Client ID and Client Secret and click Validate credentials.
  3. Turn on Configure proxy manually if you want to use a proxy, and enter your Proxy address.
  4. If you're using a proxy, you can turn on additional authentication. Turn on Enable proxy authentication and enter the following information.
    • Proxy user
    • Proxy password
  5. Click Validate credentials to check your proxy settings.

Enter your Active Directory configuration

To enter your configuration, do as follows:

  1. On the AD Configuration page, enter the details for your Active Directory LDAP server and credentials.

    You must use the credentials for a user account with read access to the entire Active Directory forest you want to synchronize. To stay secure, use an account with limited rights.

    We recommend using a secure LDAP connection, encrypted using SSL, and leaving Use LDAP over an SSL connection (recommended) turned on.

  2. If your LDAP environment doesn't support SSL, turn off Use LDAP over an SSL connection (recommended) and change the port number. The port number is usually 636 for SSL connections and 389 for insecure connections.

    Microsoft released a security update that changed LDAP channel binding and LDAP signing for Active Directory. Insecure connections on port 389 don't work with the Microsoft security update. See 2020 LDAP channel binding and LDAP signing requirements for Windows.

Set up your synchronization options

To set up the options for your synchronization, do as follows:

  1. Click Next and set up your synchronization using the remaining tabs. You can click Finish on any of the tabs if you've finished setting up.
  2. If you want to sync devices and device groups, do as follows:
    1. Click AD Filters.
    2. Turn on Sync devices and Sync organizational units.
    3. You may want to synchronize your Organizational Units before you synchronize your devices so that you can configure the groups in advance. To do this, turn on Sync organizational units only.

      We recommend that you synchronize your Organizational Units before you synchronize your devices for the first time. This allows you to set up your policies and apply them to your groups. You can then synchronize your devices and we apply your policies to your devices. If you don't do this we apply our default policies to your groups and devices.

      If you synchronize your Organizational Units before you synchronize your devices, you must turn on Sync devices and Sync organizational units when you synchronize your devices. This maintains the association between your Organizational Units and devices.

      If you want to change these settings after you've synchronized your Organizational Units and your devices, you need to know the following:

      • If you turn off Sync organizational units and leave Sync devices turned on and then synchronize, your Organizational Units show as Custom Groups in Sophos Central.
      • If you turn off Sync devices and leave Sync organizational units turned on and then synchronize, your devices aren't assigned to groups in Sophos Central.
  3. On the AD Filters tab, configure an LDAP filter to select the users, devices, and groups to sync. You can enter additional search options (search bases and LDAP query filters) for each domain. You can also specify different options for users and user groups.
    Note Synchronization only creates groups with discovered users or devices, regardless of group filter settings.
    OptionDescription

    Search bases

    You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format:

    OU=Finance,DC=myCompany,DC=com

    LDAP query filters

    To filter users, for example, by group membership, you can define a user query filter in this format:

    memberOf=CN=testGroup, DC=myCompany, DC=com

    This query limits user discovery to users belonging to “testGroup”. Note that synchronization discovers all groups to which these discovered users belong if you don't specify a group query filter. If you also want group discovery to be limited to “testGroup”, you can define the following group query filter:

    CN=testGroup

    You can also use these filters to stop inactive users synchronizing with Sophos Central.

    Exclude disabled user accounts

    By default, synchronization excludes disabled user accounts. To include them, turn off this option.

    Warning If you include base distinguished names in your search options or change your filter settings, some of the Sophos Central users and groups created during previous synchronizations might fall outside the search scope and be deleted from Sophos Central.
  4. On the Sync Schedule tab, define the times at which synchronization happens.
    Note A background service performs a scheduled synchronization.
  5. If you want to synchronize manually and don't want the synchronization to run automatically, click Never. Only sync when manually initiated.

Synchronize Active Directory

We recommend you manually sync with Active Directory when you set up synchronization or make changes to your settings. This means you can check the changes that will be made during the synchronization.

To synchronize, do as follows:

  1. Click Preview and Sync.
    1. If you're using LDAP query filters, check that you've configured them appropriately.
  2. Review the changes that will be made during synchronization. If you're happy with the changes, click Approve Changes and Continue.
    The Active Directory users, devices, and groups are imported from Active Directory to Sophos Central.
  3. Review your users, devices, and groups in Sophos Central.
    1. Check your users to make sure their devices are protected.
    2. Check the policies applied to your users and user groups.
    3. Check your computers and servers for unmanaged devices. These are shown on separate tabs. Protect any unmanaged devices.
    4. Check the policies applied to your devices and device groups. You can apply policies to the Active Directory device group.

Move Active Directory synchronization servers

If you want to move the server you're using to synchronize with Active Directory, do as follows:

  1. Stop synchronizing on your current server.
  2. Set up Active Directory Synchronization your new server.

    If you need help with this, follow the instructions given in the previous sections on this page.

  3. Check there are no changes needed to the filters.
  4. Preview your synchronization to check that your settings are correct.
  5. Synchronize and check that everything is working as expected.
  6. Set your synchronization schedule.
  7. Remove Active Directory Synchronization from your original server.