Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure-troubleshooting

Troubleshooting Microsoft Entra ID (Azure AD)

Learn how to troubleshoot issues related to the Microsoft Entra ID configuration with the firewall.

Can I use the same Azure application I created for Microsoft Entra ID Sync in Sophos Central?

Yes, you can use the same Azure application to protect multiple applications. We recommend creating a separate Azure application to use with the firewall for better isolation and granular security control.​

Why am I getting the 500 Internal Server Error message after integrating Microsoft Entra ID with the firewall?

You get this error message if you haven't assigned the following Delegated permissions to the application role:

  • User.Read
  • User.ReadAll
  • Group.ReadAll

See Create an application role.

Why am I getting the AADSTS50011 error message from Microsoft?

You get this error message if you haven't pasted the web admin console URL in Redirect URI on Azure. See step 7 in Add a Microsoft Entra ID (Azure AD) server.

When migrating users from AD to Microsoft Entra ID, should I use the same username format for both?

By default, AD uses the username format SamAccountName@domain, while Microsoft Entra ID uses UserPrincipalName@domain. The firewall sees them as two different users, even if they belong to the same user.

If you want to use both AD and Entra ID as authentication servers, we recommend using the same username format for both.

Suppose you migrate users from AD to Entra ID and then stop using AD. In that case, we recommend using the same username format for AD and Entra ID before migration to avoid creating duplicate users in the firewall. However, if you use a different username format in Entra ID, duplicate users will be created in the firewall. After migration, you can delete the AD users.

For more information, see the following links:

Where can I see the Microsoft Entra ID logs?

You can see the Microsoft Entra ID logs in the following locations:

Advanced shell CLI

  • Web admin console logs: /log/oauth_sso_webadmin.log
  • Captive portal logs: /log/oauth_sso_captive.log

Log viewer

  • Web admin console logs: Admin module
  • Captive portal logs: Authentication module
Can I use Microsoft Entra ID SSO to sign in to the web admin console of the auxiliary device?

You can't currently sign in to the web admin console of the auxiliary HA device using Microsoft Entra ID SSO.

Why can't I sign in using Credential login?

Microsoft Entra ID (formerly Azure AD) uses token-based authentication through OAuth 2.0 and OpenID Connect (OIDC). So, local and remote users can't use Credential login and sign in with username and password.

To implement Credential login, you can use directory services, such as Active Directory (AD) or LDAP.