Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure-add

Add a Microsoft Entra ID (Azure AD) server

Add a Microsoft Entra ID (Azure AD) server to authenticate administrators signing in to the web admin console of the firewall.

Before you add a Microsoft Entra ID server in the firewall, you must configure the authentication infrastructure in Azure Portal. See Configure Microsoft Entra ID (Azure AD) in Azure Portal.

See Restrictions.

To add a Microsoft Entra ID server in the firewall, do as follows:

  1. Go to Authentication > Servers and click Add.
  2. From the Server type list, select Azure AD SSO.
  3. In Server name, enter a name for the server.

  4. For the IDs, do as follows:

    1. In Azure, go to Azure Active Directory > App registrations and click the application you created for the firewall.
    2. Copy Application (client) ID and paste it in Application (client) ID on the firewall.
    3. Copy Directory (tenant) ID and paste it in Directory (tenant) ID on the firewall.

  5. In Azure, create a client secret and paste it in Client secret.

    See Create a client secret.

  6. In Redirect URI, do one of the following:

    • Use the current browser URL: Click this option to copy the web admin console URL.

    • Web admin console URL: Click Copy to copy the web admin console URL.

      Copy web admin console URL.

    Paste the URL in the application you created for the firewall in Azure. See Paste the web admin console URL in Azure.

    Note

    Make sure you copy the URL with the firewall's LAN or WAN IP address and not the Sophos Central reverse SSO URL (the one you would use to access the firewall from Sophos Central).

  7. User attributes under User attribute mapping are fetched from the Azure token to create users in the firewall.

  8. From the Fallback user group list, select a user group.

    If a user's Microsoft Entra ID group exists in the firewall, it assigns the user to that group. If it doesn't exist, the firewall assigns the user to the group you select here.

  9. Select the role mapping criteria as follows:

    1. User type: Currently, you can only authenticate the Microsoft Entra ID administrators signing in to the web admin console.

    2. Identifier type: Select the type you configured in Azure:

      • roles
      • groups

    3. Value: Enter the value you configured in Azure for the Identifier type.

    4. Profile: Select an administrator profile.

      You can see these on Profiles > Device access on the firewall.

    To add multiple identifier types, click Expand Expand button..

    Role identifier type.

  10. Click Test connection to validate the user credentials and check the connection to the server.

  11. Click Save.
  12. Go to Authentication > Services and select servers to use for service authentication.