Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure

Microsoft Entra ID (Azure AD) server

The firewall supports Microsoft Entra ID single sign-on (SSO) authentication using OAuth 2.0 and OpenID Connect (OIDC) protocols.

Administrators and users can use Microsoft Entra ID SSO to sign in to the following services:

  • Web admin console
  • Captive portal
  • VPN portal

  • Remote access IPsec VPN and remote access SSL VPN through the Sophos Connect client version 2.4 and later in Windows.

    Note

    For remote access VPN, Microsoft Entra ID SSO uses the VPN portal port to communicate with the firewall.

You can import all groups or only those that match specific attributes using the import group assistant. You can also apply schedule and traffic policies.

Microsoft Entra ID SSO supports multi-factor authentication (MFA) configured on your identity provider (IDP). It doesn't support the MFA configured in the firewall.

Set up Microsoft Entra ID

You can set up Microsoft Entra ID authentication as follows:

  1. To configure Microsoft Entra ID (Azure AD) on Azure Portal, see Configure Microsoft Entra ID (Azure AD) on Azure Portal.

  2. To add the server in the firewall, see Add a Microsoft Entra ID (Azure AD) server.

  3. (Optional) To import groups from Microsoft Entra ID, see Import groups.

  4. To allow the required URLs, see Allow Microsoft Azure URLs.

Upgrading to SFOS 21.5

If you're using Microsoft Entra ID SSO in SFOS 20.0 or 21.0, upgrading to SFOS 21.5 automatically turns on SSO for services with the authentication method set as Same as firewall.

For example, if your VPN portal, IPsec VPN, or SSL VPN authentication methods are set as Same as firewall, SSO will be turned on for those services. Additionally, to use SSO for the VPN portal, remote access IPsec VPN, or remote access SSL VPN, you must do as follows:

  1. In the firewall, go to Authentication > Servers.
  2. Click your Microsoft Entra ID server configuration.

  3. Copy the VPN portal and remote access URL.

    VPN portal and remote access URL.

  4. Paste the URL in the application you created for the firewall on Azure. See Paste the redirect URI on Azure.

    Note

    If you're configuring Microsoft Entra ID from Sophos Central, don't use the Sophos Central reverse SSO URL.

Videos

Configure Microsoft Entra ID SSO

Configure Microsoft Entra ID SSO for Sophos Connect

Captive portal authentication

Note

To use Microsoft Entra ID authentication for services, such as web admin console, captive portal, user portal, and client authentication agent (CAA), you can also configure the firewall with Microsoft Entra ID using the Microsoft Entra ID Domain Services. See Sophos Firewall: Integrate Sophos Firewall with Microsoft Entra ID.

More resources