Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure-add

Add a Microsoft Entra ID (Azure AD) server

Add a Microsoft Entra ID (Azure AD) server to authenticate administrators and users signing in to the following services:

  • Web admin console
  • Captive portal
  • VPN portal
  • Remote access IPsec VPN and remote access SSL VPN through the Sophos Connect client

Add a Microsoft Entra ID server

Before you add a Microsoft Entra ID server in the firewall, you must configure the authentication infrastructure on Azure Portal. See Configure Microsoft Entra ID (Azure AD) on Azure Portal.

To add a Microsoft Entra ID server in the firewall, do as follows:

  1. Go to Authentication > Servers and click Add.
  2. From the Server type list, select Azure AD SSO.
  3. In Server name, enter a name for the server.

  4. For the IDs, do as follows:

    1. On Azure, go to Azure Active Directory > App registrations and click the application you created for the firewall.
    2. Copy Application (client) ID and paste it in Application (client) ID on the firewall.
    3. Copy Directory (tenant) ID and paste it in Directory (tenant) ID on the firewall.

  5. On Azure, create a client secret and paste it in Client secret.

    See Create a client secret.

  6. In Redirect URI, enter the FQDN or IP address from where the firewall is accessible. You can also click Use the current browser URL to fill it automatically. The redirect URI is unique for each firewall.

    If you're configuring Microsoft Entra ID from Sophos Central firewall management, don't use the Sophos Central reverse SSO URL.

    If you're configuring Microsoft Entra ID through Sophos Central group firewall management, you won't see the Redirect URI setting. It's configured as follows:

    • In 20.0 MR1 and later, the Redirect URI is automatically set to the firewall's hostname if it's configured.

    • In 20.0 GA and earlier, or if no hostname is configured, the Redirect URI automatically uses the text defaultHostname. After the initial configuration, you must manually update each firewall's Redirect URI with the IP address or hostname from where the firewall is accessible.

      Sophos Central redirect URI.

  7. Copy the Web admin console URL, Captive portal URL, or VPN portal and remote access URL.

  8. Paste the URL in the application you created for the firewall on Azure. See Paste the redirect URI on Azure.
  9. User attributes under User attribute mapping are fetched from the Azure token to create users in the firewall.

  10. From the Fallback user group list, select a user group.

    If a user's Microsoft Entra ID group exists in the firewall, it assigns the user to that group. If it doesn't exist, the firewall assigns the user to the group you select here.

    Note

    If you use the Microsoft Entra ID server in Authentication > Services under Firewall authentication methods, the Fallback user group still applies instead of the Default group.

  11. Select the role mapping criteria as follows:

    1. User type:

      • User: Select this option if you want to authenticate users signing in to the captive portal, VPN portal, remote access IPsec VPN, and remote access SSL VPN.
      • Administrator: Select this option if you want to authenticate web admin console administrators and users signing in to the captive portal, VPN portal, remote access IPsec VPN, and remote access SSL VPN.

    2. Identifier type and profile:

      • Identifier type: Select the type you configured on Azure:

        • roles
        • groups

        See Create an application role.

      • Value: Enter the value you configured on Azure for the identifier type.

      • Profile: Select an administrator profile.

        You can see these on Profiles > Device access on the firewall.

      To add multiple identifier types, click Expand Expand button..

      Role identifier type.

  12. Click Test connection to validate the user credentials and check the connection to the server.

  13. Click Save.

Set up authentication methods

The firewall only allows one Microsoft Entra ID server for each authentication method.

To use Microsoft Entra ID for authentication, do as follows:

  1. Go to Authentication > Services.

  2. Select the Microsoft Entra ID server as an authentication method for the services you want:

    • Firewall authentication methods: For the captive portal.
    • Administrator authentication methods: For the web admin console.
    • VPN portal authentication methods: For the VPN portal.
    • VPN (IPsec/dial-in/L2TP/PPTP) authentication methods: For remote access IPsec VPN.
    • SSL VPN authentication methods: For remote access SSL VPN.

    Note

    For VPN portal, remote access IPsec VPN, and remote access SSL VPN, make sure to check the requirements. See Requirements.

  3. Click Apply for each service where you added the Microsoft Entra ID server.

Note

You must select Match known users and Use web authentication for unknown users in the corresponding firewall rules to use Microsoft Entra ID for authentication.

Additional configurations

For captive portal, do as follows:

  1. Go to Authentication > Web authentication.

  2. Under Captive portal behavior, select In new browser window.

    Users must explicitly sign out to end their sessions or wait for the Microsoft Entra ID (Azure AD) token expiration time. We recommend keeping the captive portal window open for users to sign out.

  3. Clear Use insecure HTTP instead of HTTPS.

    Microsoft Entra ID SSO isn't supported if you select this option.

  4. Click Apply.

Note

Microsoft Entra ID (formerly Azure AD) uses token-based authentication through OAuth 2.0 and OpenID Connect (OIDC). So, local and remote users can't use Credential login and sign in with username and password.

To implement Credential login, you can use directory services, such as Active Directory (AD) or LDAP.

More resources