Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure-configure

Configure Azure AD in Azure Portal

To integrate Azure AD with Sophos Firewall, you must do as follows in Azure:

  1. Create an application for the firewall.

  2. Create application roles, groups, or both.

    Application roles are specific to an application, and you can control access by assigning users and permissions to the roles required for that application. If you want to use application roles, see (Optional) Create an application role.

    To use Azure AD groups, create groups specifically for the firewall and add only the users to whom you want to provide access to the firewall. If you want to use Azure AD groups, see (Optional) Create an Azure AD group.

  3. Assign users to the application.

In Sophos Firewall, you must then add Azure AD SSO as an authentication server. See Add an Azure Active Directory server.

Best practices

Here are the best practices for integrating Azure AD with Sophos Firewall:

  • Create a separate Azure application for the firewall for granular control and isolation.
  • Make sure you turn on Assignment required in Azure AD to grant access to only the users assigned to the Azure application.
  • Grant only the required API permissions, User.Read, User.ReadAll and Group.ReadAll.​
  • Use application roles instead of Azure AD groups.

Create an application for the firewall

We recommend you create a separate Azure application for the firewall for granular control and isolation. To create an application for the firewall, do as follows:

  1. In Azure, go to Azure Active Directory > App registrations and click New registration.
  2. Enter a name for the application.
  3. Under Supported account types, for Who can use this application or access this API?, select Accounts in this organizational directory only (Default Directory only - Single tenant).

  4. Under Redirect URI (optional), in the Select a platform list, select Web.

    You don't need to specify a URL in the next field.

  5. Click Register.

    Azure Portal shows the details of the application you created.

  6. Note the following details:

    • Application (client) ID
    • Directory (tenant) ID

    Application details

    You must enter these details when adding an Azure AD server to Sophos Firewall.

  7. In Properties, turn on Assignment required.

(Optional) Create an application role

Application roles allow you to assign permissions to users and applications.

To create an application role, do as follows:

  1. In the application you created for the firewall in Azure, go to App roles and click Create app role.
  2. Enter a name for the role.
  3. In Allowed member types, select Both (Users/Groups + Applications).

  4. In Value, enter a value for the application role.

    For example, adminrole.

    When a user signs in to Sophos Firewall, Azure AD sends a token containing information about that user. The token includes this value to identify the device access rights (or profile) associated with the user. You must enter this value for the corresponding Identifier type on the firewall.

  5. Enter a description for the role.

  6. Click Apply.

    The application role you created is shown in the application roles list.

  7. Go to API permissions and click Add a permission.

  8. In the Request API permissions pane, click Microsoft Graph.
  9. Select Delegated permissions.
  10. Under Select permissions, select the User.Read, User.ReadAll and Group.ReadAll permissions.
  11. Click Add permissions.

  12. Grant admin consent for the selected permissions.

    Here's an example:

    Grant admin consent

    Note

    The administrator consents on behalf of all users in the tenant's active directory. This allows the application to access the data of all users without prompting users for consent. See Permissions and consent in the Microsoft identity platform.

(Optional) Create an Azure AD group

In Azure, do as follows:

  1. Create an Azure AD group specifically for the firewall.
  2. To the Azure AD group, add only the users to whom you want to provide access to the firewall.

For instructions about creating Azure AD groups and assigning users, see Quickstart: Create a group with members and view all groups and members in Azure Active Directory.

Assign users to the application

To assign users to the application, do as follows:

  1. Go to the application you created for the firewall in Azure.

  2. Next to Manage application in local directory, click the application's name.

    Manage application

  3. Click Assign users and groups, and then click Add user/group.

  4. Search for the user you want to add and select the user.

  5. Select the application role you created.

    If you've created more than one application role, select the application role you want to assign to the user.

  6. Click Assign.

Create a client secret

When you're adding Azure AD server to Sophos Firewall, paste this secret in Client secret.

To create a client secret in Azure, do as follows:

  1. Go to the application you created for the firewall.
  2. In the application, go to Certificates & secrets > Client secrets and click New client secret.
  3. Enter a description, select the secret's expiry duration, and click Add.

  4. Copy the secret from Value next to the name of the secret immediately.

    Note

    You must copy the secret immediately because Azure Portal hides the secret once the page reloads.

Paste the web admin console URL in Azure

Do as follows:

  1. Go to the application you created for the firewall, and under Essentials > Redirect URI, click Add a Redirect URI.

    Add redirect URI

  2. Go to Add a platform > Web, in Redirect URIs, paste the URL and click Configure.