Skip to content

Add a Microsoft Entra ID (Azure AD) server

Add a Microsoft Entra ID (Azure AD) server to authenticate administrators signing in to the web admin console of the firewall and users signing in to the captive portal.

Before you add a Microsoft Entra ID server in the firewall, you must configure the authentication infrastructure in Azure Portal. See Configure Microsoft Entra ID (Azure AD) in Azure Portal.

To add a Microsoft Entra ID server in the firewall, do as follows:

  1. Go to Authentication > Servers and click Add.
  2. From the Server type list, select Azure AD SSO.
  3. In Server name, enter a name for the server.
  4. For the IDs, do as follows:

    1. In Azure, go to Azure Active Directory > App registrations and click the application you created for the firewall.
    2. Copy Application (client) ID and paste it in Application (client) ID on the firewall.
    3. Copy Directory (tenant) ID and paste it in Directory (tenant) ID on the firewall.
  5. In Azure, create a client secret and paste it in Client secret.

    See Create a client secret.

  6. In Redirect URI, enter the firewall's FQDN or IP address. You can also click Use the current browser URL to fill it automatically.

  7. Copy the Web admin console URL or the Captive portal URL.
  8. Paste the URL in the application you created for the firewall in Azure. See Paste the redirect URI in Azure.

    Note

    If you're configuring this from Sophos Central, don't use the Sophos Central reverse SSO URL.

  9. User attributes under User attribute mapping are fetched from the Azure token to create users in the firewall.

  10. From the Fallback user group list, select a user group.

    If a user's Microsoft Entra ID group exists in the firewall, it assigns the user to that group. If it doesn't exist, the firewall assigns the user to the group you select here.

    Note

    If you use the Microsoft Entra ID server in Authentication > Services under Firewall authentication methods, the Fallback user group still applies instead of the Default group.

  11. Select the role mapping criteria as follows:

    Currently, you can only authenticate administrators signing in to the web admin console and users signing in to the captive portal.

    1. User type:

      • User: Select this option if you only want to authenticate captive portal users.
      • Administrator: Select this option if you want to authenticate both web admin console administrators and captive portal users.
    2. Identifier type and profile:

      • Identifier type: Select the type you configured in Azure:

        • roles
        • groups

        See (Optional) Create an application role.

      • Value: Enter the value you configured in Azure for the identifier type.

      • Profile: Select an administrator profile.

        You can see these on Profiles > Device access on the firewall.

      To add multiple identifier types, click Expand Expand button..

      Role identifier type.

  12. Click Test connection to validate the user credentials and check the connection to the server.

  13. Click Save.
  14. Go to Authentication > Services and select the Microsoft Entra ID server under the following authentication methods:

    • Firewall authentication methods: For the captive portal.
    • Administrator authentication methods: For the web admin console.
  15. Go to Authentication > Web authentication.

  16. Select In new browser window.

    Users must explicitly sign out to end their sessions or wait for the Microsoft Entra ID (Azure AD) token expiration time. We recommend keeping the captive portal window open for users to sign out.

  17. Clear Use insecure HTTP instead of HTTPS.

    Microsoft Entra ID SSO isn't supported if you select this option.

  18. Click Apply.

Note

You must select Match known users and Use web authentication for unknown users in the corresponding firewall rules to use Microsoft Entra ID for authentication.