Microsoft Entra ID (Azure AD) server
You can integrate Microsoft Entra ID (Azure AD) with Sophos Firewall to offer secure Single Sign-On (SSO) across key firewall services. SSO authentication lets administrators access the web admin console and allows all users to access services, such as the captive portal and remote access VPN tunnels.
The integration uses OAuth 2.0 and OpenID Connect (OIDC) to deliver reliable identity management.
Where you can use Microsoft Entra ID SSO
You can configure Microsoft Entra ID SSO for the following services.
Web admin console
Firewall administrators can use SSO to access the web admin console. You can map their Microsoft Entra ID roles or groups to the firewall's device access profiles through the server configuration in the firewall, ensuring identity‑based permissions.
User services
All users, including administrators, can use SSO to access some services in the firewall. Policies and firewall rules apply access permissions for these services.
The services that support Microsoft Entra ID SSO are as follows:
- Captive portal: For users accessing web resources.
-
Remote access VPN: For users accessing internal resources through VPN tunnels.
- VPN portal
- SSL VPN through the Sophos Connect client
- IPsec VPN through the Sophos Connect client
Note
Windows devices running Sophos Connect client 2.4 or later support Microsoft Entra ID SSO.
Configurations and troubleshooting
-
Requirements and restrictions
-
Configure Microsoft Entra ID
Integrate Microsoft Entra ID with Sophos Firewall
Add a Microsoft Entra ID server
-
Migration
-
FAQs and troubleshooting
Note
Alternatively, you can use the Microsoft Entra ID Domain Services for authentication to services, such as the user portal and client authentication agent (CAA), in addition to the web admin console and captive portal. See Sophos Firewall: Integrate Sophos Firewall with Microsoft Entra ID.
Videos
Watch the following videos.
Entra ID SSO integration for the Sophos Connect client
Captive portal SSO and group import
