Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-entra-id-import-groups

Import groups

You can import all groups or only those that match specific attributes through the assistant.

API permission requirement

To import groups, you must add the following API permission on Microsoft Entra ID:

  1. Sign in to Azure Portal.
  2. Go to Microsoft Entra ID and select the server.
  3. Click App registrations and select the application configured for the firewall.
  4. Click API permission > Add a permission.
  5. Click Microsoft Graph > Application permissions and add the Group.Read.All permission.

  6. Click Grant admin consent for your organization and click Yes.

    API permission.

Import group assistant

To import groups, go to Authentication > Servers and click Assistant for importing groups Import button. for the Microsoft Entra ID server.

You can import all groups or import groups that match the attributes you specify, such as Display name and Description.

You can apply the following policies to all groups or to individual groups:

  • Surfing quota
  • Access time
  • Network traffic
  • Traffic shaping

Important

You must synchronize the time between the firewall and Microsoft Entra ID. Otherwise, the connection may fail.

Note

If you use remote access IPsec or SSL VPN, make sure to add the new groups to your VPN policies.