Skip to content

Microsoft Entra ID (Azure AD) server

The firewall supports Microsoft Entra ID single sign-on (SSO) authentication using OAuth 2.0/OpenID Connect (OIDC) protocol to sign in users accessing the internet through the captive portal and administrators signing in to the web admin console.

You can import all groups or only those that match specific attributes using the import group assistant. You can also apply schedule and traffic policies.

You can configure Microsoft Entra ID authentication as follows:

  1. To configure Microsoft Entra ID (Azure AD) in Azure Portal, see Configure Microsoft Entra ID (Azure AD) in Azure Portal.

  2. To add the server in the firewall, see Add a Microsoft Entra ID (Azure AD) server.

  3. (Optional) To import groups from Microsoft Entra ID, see Import groups.

  4. To allow the required URLs, see Allow Microsoft Azure URLs.


To use Microsoft Entra ID authentication for services, such as web admin console, captive portal, user portal, and client authentication agent (CAA), you can also configure the firewall with Microsoft Entra ID using the Microsoft Entra ID Domain Services. See Sophos Firewall: Integrate Sophos Firewall with Microsoft Entra ID.

Videos: Configure Microsoft Entra ID SSO

  • Currently, the native firewall integration with Microsoft Entra ID using the OAuth 2.0 and OpenID Connect (OIDC) protocols only supports authentication for the web admin console. It doesn't support authentication for end users. It also doesn't support rules and policies configured to match users, such as firewall rules and SD-WAN routes.

Captive portal authentication