Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure-configure

Configure Microsoft Entra ID (Azure AD) in Azure Portal

To integrate Microsoft Entra ID with the firewall, you must do as follows in Azure:

  1. Create an application for the firewall.

  2. Create application roles, groups, or both.

    Application roles are specific to an application, and you can control access by assigning users and permissions to the roles required for that application. If you want to use application roles, see (Optional) Create an application role.

    To use Microsoft Entra ID groups, create groups specifically for the firewall and add only the users to whom you want to provide access to the firewall. If you want to use Microsoft Entra ID groups, see (Optional) Create a Microsoft Entra ID group.

  3. Assign users to the application.

In the firewall, you must then add Microsoft Entra ID SSO as an authentication server. See Add a Microsoft Entra ID (Azure AD) server.

Best practices

Here are the best practices for integrating Microsoft Entra ID with the firewall:

  • Create a separate Azure application for the firewall for granular control and isolation.
  • Make sure you turn on Assignment required in Microsoft Entra ID to grant access to only the users assigned to the Azure application.
  • Grant only the required API permissions, User.Read, User.ReadAll and Group.ReadAll.​
  • Use application roles instead of Microsoft Entra ID groups.

Create an application for the firewall

We recommend you create a separate Azure application for the firewall for granular control and isolation. To create an application for the firewall, do as follows:

  1. In Azure, go to Azure Active Directory > App registrations and click New registration.
  2. Enter a name for the application.
  3. Under Supported account types, for Who can use this application or access this API?, select Accounts in this organizational directory only (Default Directory only - Single tenant).

  4. Under Redirect URI (optional), in the Select a platform list, select Web.

    You don't need to specify a URL in the next field.

  5. Click Register.

    Azure Portal shows the details of the application you created.

  6. Note the following details:

    • Application (client) ID
    • Directory (tenant) ID

    Application details.

    You must enter these details when adding a Microsoft Entra ID server to the firewall.

  7. In Properties, turn on Assignment required.

(Optional) Create an application role

Application roles allow you to assign permissions to users and applications.

To create an application role, do as follows:

  1. In the application you created for the firewall in Azure, go to App roles and click Create app role.
  2. Enter a name for the role.
  3. In Allowed member types, select Both (Users/Groups + Applications).

  4. In Value, enter a value for the application role.

    For example, adminrole.

    When a user signs in to the firewall, Microsoft Entra ID sends a token containing information about that user. The token includes this value to identify the device access rights (or profile) associated with the user. You must enter this value for the corresponding Identifier type on the firewall.

  5. Enter a description for the role.

  6. Click Apply.

    The application role you created is shown in the application roles list.

  7. Go to API permissions and click Add a permission.

  8. In the Request API permissions pane, click Microsoft Graph.
  9. Select Delegated permissions.
  10. Under Select permissions, select the User.Read, User.ReadAll and Group.ReadAll permissions.
  11. Click Add permissions.

  12. Grant admin consent for the selected permissions.

    Here's an example:

    Grant admin consent.

    Note

    The administrator consents on behalf of all users in the tenant's active directory. This allows the application to access the data of all users without prompting users for consent. See Permissions and consent in the Microsoft identity platform.

(Optional) Create a Microsoft Entra ID group

In Azure, do as follows:

  1. Create a Microsoft Entra ID group specifically for the firewall.
  2. To the Microsoft Entra ID group, add only the users to whom you want to provide access to the firewall.

For instructions about creating Microsoft Entra ID groups and assigning users, see Quickstart: Create a group with members and view all groups and members in Azure Active Directory.

Assign users to the application

To assign users to the application, do as follows:

  1. Go to the application you created for the firewall in Azure.

  2. Next to Manage application in local directory, click the application's name.

    Manage application.

  3. Click Assign users and groups, and then click Add user/group.

  4. Search for the user you want to add and select the user.

  5. Select the application role you created.

    If you've created more than one application role, select the application role you want to assign to the user.

  6. Click Assign.

Create a client secret

When you're adding Microsoft Entra ID server to the firewall, paste this secret in Client secret.

To create a client secret in Azure, do as follows:

  1. Go to the application you created for the firewall.
  2. In the application, go to Certificates & secrets > Client secrets and click New client secret.
  3. Enter a description, select the secret's expiry duration, and click Add.

  4. Copy the secret from Value next to the name of the secret immediately.

    Note

    You must copy the secret immediately because Azure Portal hides the secret once the page reloads.

Paste the web admin console URL in Azure

Do as follows:

  1. Go to the application you created for the firewall, and under Essentials > Redirect URI, click Add a Redirect URI.

    Add redirect URI.

  2. Go to Add a platform > Web, in Redirect URIs, paste the URL and click Configure.