Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Troubleshooting Microsoft Entra ID (Azure AD)

Learn how to troubleshoot issues related to the Microsoft Entra ID configuration with the firewall.

Can I use the same Azure application I created for Microsoft Entra ID Sync in Sophos Central?

Yes, you can use the same Azure application to protect multiple applications. We recommend creating a separate Azure application to use with the firewall for better isolation and granular security control.​

Why am I getting the 500 Internal Server Error message after integrating Microsoft Entra ID with the firewall?

You get this error message if you haven't assigned the following Delegated permissions to the application role:

  • User.Read
  • User.ReadAll
  • Group.ReadAll

See (Optional) Create an application role.

Why am I getting the AADSTS50011 error message from Microsoft?

You get this error message if you haven't pasted the web admin console URL in Redirect URI on Azure. See step 7 in Add a Microsoft Entra ID (Azure AD) server.

Where can I see the Microsoft Entra ID logs?

You can see the Microsoft Entra ID logs in the following locations:

Advanced shell CLI

  • Web admin console logs: /log/oauth_sso_webadmin.log
  • Captive portal logs: /log/oauth_sso_captive.log

Log viewer

  • Web admin console logs: Admin module
  • Captive portal logs: Authentication module
Can I use Microsoft Entra ID SSO to sign in to the web admin console of the auxiliary device?

You can't currently sign in to the web admin console of the auxiliary HA device using Microsoft Entra ID SSO.

Why can't I sign in using Credential login?

Microsoft Entra ID (formerly Azure AD) uses token-based authentication through OAuth 2.0 and OpenID Connect (OIDC). So, local and remote users can't use Credential login and sign in with username and password.

To implement Credential login, you can use directory services, such as Active Directory (AD) or LDAP.