Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure-AD-allow-URL

Allow Microsoft Azure URLs

You must allow Microsoft Azure URLs to allow Microsoft Entra ID (Azure AD) SSO (Single sign-on) authentication.

Allow URLs for all traffic

You must allow the following Microsoft Azure URLs for all traffic:

Microsoft Azure URL
*.aadcdn.microsoftonline-p.com
*.login.live.com
*.login.microsoftonline.com
*.logincdn.msftauth.net
*.microsoftonline-p.com
*.msauth.net
aadcdn.msftauth.net
login.microsoft.com
login.microsoftonline.com
account.activedirectory.windowsazure.com
*.aadcdn.msauthimages.net
*.aadcdn.msftauthimages.net
*.microsoftonline.com
*.aadcdn.msftauth.net

For the latest list of Microsoft Azure URLs, see Allow the Azure portal URLs on your firewall or proxy server.

Create an FQDN host

Do the following for each URL:

  1. Go to Hosts and services > FQDN host.
  2. Click Add.
  3. Enter the URL as the name.
  4. Enter the URL in FQDN.
  5. Click Save.

Create an FQDN host group

  1. Go to Hosts and services > FQDN host group.
  2. Click Add.
  3. Enter a name.
  4. Click Add new item and select the FQDN hosts you created.
  5. Click Save.

Create a firewall rule

  1. Go to Rules and policies > Firewall rules.
  2. Click IPv4 > Add firewall rule > New firewall rule.

  3. Configure as follows:

    Setting Value
    Rule name Enter a name.
    Action Accept
    Source zones LAN
    Source networks and devices Any
    Destination zones WAN
    Destination networks Select the FQDN host group you created.
    Services
    • DNS
    • HTTPS

  4. Click Save.

Direct web proxy mode

In direct web proxy mode, in addition to the firewall rules required for authentication, you must add the following Microsoft Azure URLs in a web exception:

Microsoft Azure URL
login\.microsoftonline\.com\.?/
^([A-Za-z0-9.-]*\.)?login.live.com\.?/
aadcdn\.msftauth.net\.?/
^([A-Za-z0-9.-]*\.)?aadcdn\.microsoftonline-p\.com\.?/
^([A-Za-z0-9.-]*\.)?login.microsoftonline.com\.?/
^([A-Za-z0-9.-]*\.)?logincdn.msftauth.net\.?/
^([A-Za-z0-9.-]*\.)?aadcdn.msauthimages.net\.?/
^([A-Za-z0-9.-]*\.)?.msauth.net\.?/
^([A-Za-z0-9.-]*\.)?aadcdn.msftauthimages.net\.?/
^([A-Za-z0-9.-]*\.)?microsoftonline\.com\.?/
^([A-Za-z0-9.-]*\.)?microsoftonline-p.com\.?/
^([A-Za-z0-9.-]*\.)?aadcdn.msftauth.net\.?/
^([A-Za-z0-9.-]*\.)?account.activedirectory.windowsazure.com\.?/
login\.microsoft\.com\.?/

To add the Microsoft Azure URLs in a web exception, do as follows:

  1. Go to Web > Exceptions and click Add an exception.
  2. Enter a name.
  3. Select URL pattern matches.
  4. Enter each URL in Search/Add and click Add Add button..
  5. Select all the checks and actions.
  6. Click Save.