Skip to content

Set up directory service

You need a directory service to manage your user groups.

You can use Microsoft Azure AD or Active Directory. To help you decide which to use, consider the following:

  • If you use Azure AD, you can also use it as your identity provider.

  • If you use Active Directory, you'll need a separate identity provider, such as Okta.

In our instructions, we show you how to set up Microsoft Azure AD.

To use Azure AD to manage your users, you need to create an Azure AD tenant, register the ZTNA application, and set up user groups.

You must already have an Azure AD account.


We recommend that you check Microsoft's Azure AD documentation for the latest help.

Create an Azure AD tenant

  1. Sign in to your Azure portal.
  2. Select Azure Active Directory.

    Azure portal

  3. In the Azure AD Overview, click Create a tenant.

    Azure AD Overview

  4. On the Basics tab, select Azure Active Directory. Then click Next: Configuration.

    Tenant Basics tab in Azure AD

  5. On the Configuration tab, enter your organization and domain name details. Click Next: Review + Create.

    Tenant Configuration tab in Azure AD

  6. On the next page, review your settings and click Create.

    Final screen to create tenant in Azure AD

Register the ZTNA app

  1. Select Manage > App registrations and click New registration.

    App Registrations page in Azure AD

  2. On the Register an application page, do as follows:

    1. Enter a name.
    2. Accept the default supported account type.
    3. Set a Redirect URI. This is the address that authentication responses are sent to. It must include the ZTNA gateway domain name (FQDN). Here's an example URI:

      You can add multiple gateway FQDNs. You can also add more FQDNs at any time.

    4. Click Register.

      Register an application page in Azure AD

  3. Select Manage > API permissions. Then click Add a permission.

    API permissions page in Azure AD

  4. In Request API Permissions, give Sophos Central the permissions needed to read user groups. You need to add Microsoft Graph API permissions, as follows.

    Select Delegated permissions and add these:

    • Directory.Read.All
    • Group.Read.All
    • openID
    • profile (profile is in the openID set of permissions)
    • User.Read
    • User.Read.All

    Select Application permissions and add this:

    • Directory.Read.All

    Delegated permissions are for apps running with a signed-in user. Application permissions allow services to run without a user sign-in.

    Request API Permissions page

  5. Currently, you also need one Azure AD Graph API permission, which is available on a different page. To find and add this permission, do as follows:

    1. In Select an API, go to APIs my organization uses.
    2. Search for Windows Azure Active Directory.

      API permissions search

    3. Click the search result to see the Azure Active Directory Graph permissions list.

    4. Select Application permissions.
    5. Click Add permission and add Directory.ReadWrite.All.

    This permission is needed until Sophos Central switches fully to Microsoft Graph APIs.

  6. On the API Permissions page, you can now see the permissions you've added. Click Grant Admin Consent to give the consent that permissions need.

    Completed API permissions

  7. On the app's Overview page, make a note of the following details. You'll need them later.

    • Client ID
    • Tenant ID

    App details in Azure AD

  8. Click Certificates and secrets. Create a Client secret, make a note of the Value of the client secret, and store it securely.


    The client secret isn't shown again. You can't recover it later.

    New client secret in Azure AD

Create an Azure AD user group


This section assumes you create a new user group. You can use an existing group but it must be security enabled. Groups created in Azure AD are automatically security enabled, but groups created from the Microsoft 365 portal or imported from AD aren't.

To create a user group in Azure AD, do as follows.

  1. Sign in to the Azure portal using a Global administrator account for the directory.
  2. Select Azure Active Directory.
  3. On the Active Directory page, select Groups. Click New Group.

    Screenshot of Groups page in Azure AD

  4. In the New Group dialog, fill out the fields.

    1. Select a Group type. In this example, Microsoft 365.
    2. Enter a Group name.
    3. Enter a Group email address or accept the default address shown.
    4. Select the Membership type. Use Assigned, which lets you choose specific users and give them unique permissions.
    5. Click Create.

      The group is created.

    Screenshot of New group dialog in Azure AD

  5. On the new group's page, click Members. Then do as follows:

    1. Click Add members.
    2. Search for the users you want and click them.
    3. When you finish, click Select.

    Screenshot of Members tab in Azure AD

    Next, you go to Sophos Central to synchronize user groups with Azure AD.