Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-entra-id-troubleshooting

Troubleshooting Microsoft Entra ID

Learn how to troubleshoot issues related to Microsoft Entra ID (Azure AD).

Single sign-on

You don't have permission to sign in to the VPN portal. Contact your firewall administrator.

Issue

A user can't sign in to the VPN portal and it shows the following error:

You don't have permission to sign in to the VPN portal. Contact your firewall administrator.

Cause

Users can't access the VPN portal because of several issues, such as the browser used and configuration issues.

You can see the following error messages in the log viewer:

  • User not authorized
  • Invalid credentials

Solution

To resolve your issue, follow the steps below.

Browser check

Sign in using a different browser to rule out browser compatibility and extension issues.

VPN portal access

Make sure that the user's Microsoft Entra ID group is added to the remote access IPsec VPN or remote access SSL VPN allowed user list. Users who aren't allowed in either policy can't access the VPN portal, even if SSO authentication is successful.

To check the user's VPN portal access, do as follows:

  • Remote access IPsec VPN

    1. Go to Remote access VPN > IPsec.
    2. Make sure that the user's Microsoft Entra ID group is selected in Allowed users and groups.

  • Remote access SSL VPN

    1. Go to Remote access VPN > SSL VPN.
    2. Click your remote access SSL VPN configuration.
    3. Make sure that the user's Microsoft Entra ID group is selected in Policy members.

Authentication methods

Check the requirements for the remote access IPsec VPN and remote access SSL VPN authentication methods. See Requirements.

Misconfiguration can cause sign-in failures, such as authorization and credential mismatch errors.

SSO is not configured. Please contact your administrator.

Issue

You can't click the Single sign on (SSO) button in the Sophos Connect client (SCC) and it shows the following error:

SSO is not configured. Please contact your administrator.

Cause

Configuration issues.

Solution

To resolve your issue, follow the steps below.

Connection test

Check the firewall's connection to the Microsoft Entra ID server as follows:

  1. Go to Authentication > Servers.
  2. Click your Microsoft Entra ID server.

  3. Click Test connection.

    Make sure that the test is successful. If not, check your configuration. See Set up Microsoft Entra ID.

Authentication methods

Check the authentication method for SSL VPN authentication methods as follows:

  1. Go to Authentication > Services.
  2. Make sure that your Microsoft Entra ID server is set in SSL VPN authentication methods.
Selected user account does not exist in tenant <tenant ID> and cannot access the application <application ID> in that tenant.

Issue

SSO doesn't work and shows the following error:

Selected user account does not exist in tenant <tenant ID> and cannot access the application <application ID> in that tenant.

Cause

The user doesn't exist in the tenant application because the remote access IPsec VPN and remote access SSL VPN authentication methods use different Microsoft Entra ID servers.

Solution

To resolve your issue, follow the steps below.

Authentication methods

Check the requirements for the remote access IPsec VPN and remote access SSL VPN authentication methods. See Requirements.

Misconfiguration can cause sign-in failures, such as authorization and credential mismatch errors.

Force SSO re-login

If users sign in using SSO and connect to the network using a shared endpoint, we recommend that you force SSO re-login. See Force SSO re-login.