Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Integrate Microsoft Entra Domain Services

Microsoft Entra Domain Services replicates identity information from Microsoft Entra ID (Azure AD) to a set of domain controllers managed by Microsoft. It works with Microsoft Entra ID tenants that are cloud-only or synchronized with an on-premises Active Directory (AD) Domain Services environment. The same features exist for both environments.

You can integrate the firewall with Microsoft Entra ID using Microsoft Entra Domain Services. You can then use the following authentication services:

  • Web admin console.
  • Captive portal.
  • User portal.
  • Client authentication agent (CAA) for Windows, macOS, and Linux.
  • Remote access SSL VPN.

This guide includes instructions for third-party products. We recommend that you check the vendors' latest documentation.

Requirements

To integrate the firewall with Microsoft Entra ID using Microsoft Entra Domain Services, you must meet the following requirements:

Create a self-signed certificate

Microsoft Azure accepts self-signed certificates with extendedKeyUsage set as serverAuth. In this example, we use a Linux machine with OpenSSL to generate a self-signed certificate. Do as follows:

  1. Run Terminal.
  2. Run the following command to create the certificate authority (CA) private key.

    Syntax
    openssl genrsa -out <name>.key 4096
    
    Example
    openssl genrsa -out azureADca.key 4096
    
    $ openssl genrsa -out azureADca.key 4096
    Generating RSA private key, 4096 bit long modulus
    ..........................................................................................................................................................++
    ................++
    e is 65537 (0x10001)
    
  3. Run the following command to generate the CA certificate. Enter the required values at the prompts. This CA certificate will validate the signed certificates.

    Syntax
    openssl req -x509 -new -nodes -key <CA private key>.key -days <Number of days> -out <name>.pem
    
    Example
    openssl req -x509 -new -nodes -key azureADca.key -days 365 -out azureADca.pem
    
    $ openssl req -x509 -new -nodes -key azureADca.key -days 365 -out azureADca.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:CA
    State or Province Name (full name) []:ON
    Locality Name (eg, city) []:Burlington
    Organization Name (eg, company) []:Sophos
    Organizational Unit Name (eg, section) []:Sales Engineering
    Common Name (eg, fully qualified host name) []:sophostest.com
    Email Address []:admin@sophostest.com
    
  4. Copy and paste the following in a text file and save the file as <name>.conf. For example, azureAD-eku.conf.

    [client_server_ssl]
    extendedKeyUsage = serverAuth
    
  5. Run the following command to create the LDAP certificate private key.

    Syntax
    openssl genrsa -out <name>.key 4096
    
    Example
    openssl genrsa -out ldapssl_private.key 4096
    
    $ openssl genrsa -out ldapssl_private.key 4096
    Generating RSA private key, 4096 bit long modulus
    ...................................++
    ..........++
    e is 65537 (0x10001)
    
  6. Run the following command to generate the certificate signing request (CSR). Enter the required values at the prompts.

    Syntax
    openssl req -new -key <LDAP private key>.key -out <name>.csr
    
    Example
    openssl req -new -key ldapssl_private.key -out azureADldapssl.csr
    
    $ openssl req -new -key ldapssl_private.key -out azureADldapssl.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:CA
    State or Province Name (full name) []:ON
    Locality Name (eg, city) []:Burlington
    Organization Name (eg, company) []:firewallinabox
    Organizational Unit Name (eg, section) []:Sales Engineering
    Common Name (eg, fully qualified host name) []:firewallinabox.tk
    Email Address []:admin@firewallinabox.tk
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:testpassword123!
    
  7. Run the following command to generate a certificate. The CA signs it based on the CSR.

    Syntax
    openssl x509 -req -extensions client_server_ssl -extfile <Extended key usage file>.conf -in <Certificate signing request>.csr -CA <CA public key>.pem -CAkey <CA private key>.key -CAcreateserial -out <name>.crt -days <Number of days>
    
    Example
    openssl x509 -req -extensions client_server_ssl -extfile azureAD-eku.conf -in azureADldapssl.csr -CA azureADca.pem -CAkey azureADca.key -CAcreateserial -out azureADcert.crt -days 365
    
    $ openssl x509 -req -extensions client_server_ssl -extfile azureAD-eku.conf -in azureADldapssl.csr -CA azureADca.pem -CAkey azureADca.key -CAcreateserial -out azureADcert.crt -days 365
    Signature ok
    subject=/C=CA/ST=ON/L=Burlington/O=firewallinabox/OU=Sales Engineering/CN=firewallinabox.tk/emailAddress=email@email.com
    Getting CA Private Key
    
  8. Run the following command to convert the certificate to .pfx format.

    Syntax
    openssl pkcs12 -export -out <name>.pfx -inkey <LDAP private key>.key -in <Signed certificate>.crt -certfile <CA certificate>.pem
    
    Example
    openssl pkcs12 -export -out SophosazureADcert.pfx -inkey ldapssl_private.key -in azureADcert.crt -certfile azureADca.pem
    
    $ openssl pkcs12 -export -out SophosazureADcert.pfx -inkey ldapssl_private.key -in azureADcert.crt -certfile azureADca.pem
    Enter Export Password:
    Verifying - Enter Export Password:
    

You've created a self-signed certificate. In this example, it's SophosazureADcert.pfx.

Microsoft Azure configuration

Microsoft Entra Domain Services

To integrate the firewall with Microsoft Entra ID using Microsoft Entra Domain Services, do as follows:

  1. Sign in to Microsoft Azure portal.
  2. Configure Microsoft Entra Domain Services. See Tutorial: Create and configure a Microsoft Entra Domain Services managed domain.

    When Microsoft Entra Domain Services is deployed, the status should be Running.

    Microsoft Entra Domain Services status.

  3. Click Synchronization.

  4. Select All or Scoped, then click Save synchronization scope.

    Microsoft Entra Domain Services synchronize.

    Note

    Users must sign in to Office 365 and change their password so they can be synchronized with Microsoft Entra Domain Services. Users signing in for the first time are prompted to change their password. This allows the password hashes for Kerberos and NTLM authentication to be generated and stored in Microsoft Entra ID.

  5. Go to the Microsoft Entra Domain Services you deployed and click Secure LDAP.

  6. Turn on Secure LDAP and Allow secure LDAP access over the internet.
  7. Under .PFX file with secure LDAP certificate, upload the .pfx self-signed certificate you created.
  8. Under Password to decrypt .PFX file, enter the password to decrypt the file.

    Secure LDAP.

  9. Click Save.

  10. Go to Properties and make a note of the IP addresses, Secure LDAP external IP addresses, and Admin group.

    Make sure the configured administrator group is the one used by the firewall to send LDAP bind requests to Microsoft Entra Domain Services.

    Microsoft Entra Domain Services properties.

Check administrator account

To check the administrator account you'll use in the firewall, do as follows:

  1. Go to Microsoft Entra ID. You can also search for it.
  2. Click Users.

    Make sure that the administrator account you'll use in the firewall is a member of the configured Admin group in Microsoft Entra Domain Services.

    Microsoft Entra ID administrator.

Security rules

To allow LDAPS traffic from the firewall's public IP address, do as follows:

  1. Go to Network security groups. You can also search for it.
  2. Click your security group and go to Settings > Inbound security rules.
  3. Add an inbound security rule to allow LDAPS traffic from the firewall's public IP address.

    Inbound security rule.

  4. Sign in to Office 365 using the administrator account you'll use in the firewall. You'll be prompted to change your password.

Firewall configuration

Configure an AD server and import groups

To configure an AD server and import groups, do as follows:

  1. Sign in to the web admin console.
  2. Go to Authentication > Servers and click Add.
  3. Configure the following settings:

    1. Server type: Active Directory
    2. Server name: Enter a name.
    3. Server IP/domain: Enter your Microsoft Entra ID public IP address.
    4. Connection security: SSL/TLS
    5. Port: 636
    6. NetBIOS domain: Enter the NetBIOS domain.
    7. ADS user name: Enter the username of the administrator account that's a member of the admin group configured in Microsoft Entra Domain Services.
    8. Password: Enter the administrator password.
    9. Validate server certificate: Clear the checkbox.
    10. Display name attribute: DisplayName
    11. Email address attribute: mail
    12. Domain name: Enter your domain.
    13. Search queries: Enter your domain's search queries.

      Add a server.

  4. Test the connection.

  5. Click Save.
  6. Import the groups from Microsoft Entra ID. See Import groups.

Authentication services

To use the Microsoft Entra ID server as the authentication method, do as follows:

  1. Go to Authentication > Services.
  2. Under Firewall authentication methods, select and apply the Microsoft Entra ID server for the services you want.

You can now authenticate users using Microsoft Entra ID through Microsoft Entra Domain Services.

Tip

For additional security, create an IPsec connection to Microsoft Azure and bind LDAP over it. See Sophos Firewall: Configuring an IPsec VPN Gateway Connection to Azure.