Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-entra-id-requirements

Requirements and restrictions

Learn the requirements for integrating Microsoft Entra ID (Azure AD) SSO with the firewall. These requirements include configurations for services, such as the web admin console and remote access IPsec and SSL VPNs. These also include the general requirements for configuring Microsoft Entra ID SSO.

Requirements

Make sure you meet the following requirements for Microsoft Entra ID.

Web admin console

You must assign Microsoft Entra ID roles or groups to firewall administrators. You then map the roles or groups to the device access profiles when you configure the Microsoft Entra ID server in the firewall.

If you don't map the roles or groups to administrator profiles, the firewall saves administrators as users when they sign in and doesn't allow access to the web admin console.

Remote access VPN

You can configure Microsoft Entra ID SSO for users who establish remote access IPsec and SSL VPN tunnels using the Sophos Connect client.

VPN portal

Microsoft Entra ID SSO uses the VPN portal's port to communicate with the firewall. So, you must allow WAN access for the VPN portal in Administration > Device access, under Local service ACL.

Sophos Connect

Make sure you meet the following requirements for Sophos Connect:

  • Client version: Users must install the Sophos Connect client version 2.4 and later.
  • Endpoint operating systems: The above Sophos Connect client versions are supported on Windows endpoint devices.
  • Configuration files: After you configure Microsoft Entra ID or make changes to the configuration, users must import the configuration file again.

Note

When a user establishes tunnels from a shared endpoint device, we recommend that they force an SSO re-login for subsequent users of the endpoint device. The next user can then establish the tunnel only when they sign in with Microsoft Entra ID SSO. See Microsoft Entra ID Single Sign-On.

VPN provisioning

The automatic provisioning file for remote access IPsec and SSL VPN tunnels has specific configuration requirements, including the authentication methods. You can configure these in Authentication > Services.

With provisioning file Without provisioning file
Authentication method Use the same Microsoft Entra ID server for IPsec VPN, SSL VPN, and the VPN portal.

Use the same Microsoft Entra ID server for SSL VPN and the VPN portal.

You can use a different Microsoft Entra ID server for IPsec VPN.
Gateway setting

Go to the firewall's Microsoft Entra ID configuration and enter the FQDN or IP address shown under Redirect URI as the gateway value in the provisioning file.

See Provisioning file templates.

 Not required.

Captive portal

We recommend that users explicitly sign out of the captive portal, particularly if they're on shared endpoint devices. To do so, they must not close the captive portal browser window after signing in.

Currently, the options to sign out users, such as signing out due to inactivity or closing the browser tab, don't apply to Microsoft Entra ID SSO authentication.

To see the captive portal behavior, go to Authentication > Web authentication.

General requirements

Make you you meet the following general requirements:

  • Sophos Central: If you configure Microsoft Entra ID in the firewall from Sophos Central, don't use the Sophos Central reverse SSO URL. It's different from the firewall URL. For more information about configuration through Sophos Central, see Server settings.
  • Time: Synchronize the time between the firewall and Microsoft Entra ID. If you don't, importing groups may fail.
  • Existing users and groups: Make sure any existing users or groups in Sophos Firewall are also configured in Microsoft Entra ID. If any users or groups don't have a match, you need to manage them manually in the firewall.
  • Role change: If you change a user to a firewall administrator in Microsoft Entra ID, the firewall makes the change in Authentication > Users when the administrator next signs in. However, it doesn't change an administrator to a user to match a role change in Microsoft Entra ID. You must delete the administrator from the firewall. When the user next signs in, the firewall creates the user.

Restrictions

  • Authentication method: You can only select one Microsoft Entra ID server for each authentication method.
  • MFA: You can't use multi-factor authentication (MFA) configured in the firewall. You can use an MFA configured with your identity provider (IDP).
  • Domain users: You can't synchronize users from a single domain using both Active Directory (AD) and Microsoft Entra ID at the same time.
  • High availability: In an HA cluster, you can't currently sign in to the web admin console of the auxiliary device using Microsoft Entra ID SSO.