Operation: Add Microsoft Entra ID (Azure AD) SSO server / Edit Microsoft Entra ID (Azure AD) SSO server
Description: Add or update Microsoft Entra ID (Azure AD) SSO servers. 

Sample Configuration
<AzureADSSO> <ServerName>ADSSO</ServerName> <ApplicationID>fa7fc787-011e-4398-812f-3152d8843320</ApplicationID> <TenantID>10657f8b-d541-41a5-8e25-a8d7cbb9d4dd</TenantID> <ClientSecret>12345abcdead</ClientSecret> <RedirectURI>FQDN or IP address of SFOS</RedirectURI> <DisplayName>upn</DisplayName> <EmailAddress>email</EmailAddress> <FallbackUserGroup>Open Group</FallbackUserGroup> <UserType>Administrator</UserType> <RoleMapping> <IdentifierTypeAndProfile> <identifiertype>roles</identifiertype> <identifiervalue>role.admin</identifiervalue> <profileid>Administrator</profileid> </IdentifierTypeAndProfile> </RoleMapping> </AzureADSSO>



Parameter Mandatory Default Description
ServerNameYes  
Name of the server.
ServerName confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Character not allowed: Comma (,)
  • Maximum characters allowed are 50.
  • UTF-8 character(s) are allowed.
ApplicationIDYes  
Application (client) ID. Copy it from Microsoft Entra ID > App registrations.
ApplicationID confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • ADSSOAPPANDTENANTID
  • Maximum characters allowed are 50.
TenantIDYes  
Directory (tenant) ID associated with an organizational directory. Copy it from Microsoft Entra ID > App registrations.
TenantID confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • ADSSOAPPANDTENANTID
  • Maximum characters allowed are 50.
ClientSecretYes  
The password used by the firewall to authenticate its SSO server connection with the Microsoft Entra ID application. Copy it from Microsoft Entra ID > App registrations > Certificates & secrets.
ClientSecret confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 50.
RedirectURIYes  
FQDN or IP address of the firewall.
RedirectURI confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 200.
DisplayNameYes  
Enter "upn". The firewall uses the UserPrincipalName (UPN) to create the user's display name locally.
DisplayName confines to:
  • Type is 'SCALAR'.
  • Only 'upn' are allowed.
EmailAddressYes  
Enter "email".
EmailAddress confines to:
  • Type is 'SCALAR'.
  • Only 'email' are allowed.
UserTypeYes  
Type of user.
UserType confines to:
  • Type is 'SCALAR'.
  • Only 'User', 'Administrator' are allowed.
identifiertypeYes  
For administrators, enter "roles" or "groups".
identifiertype confines to:
  • Type is 'SCALAR'.
  • Only '$IDENTITY{IDENTIFIERGROUPS}', '$IDENTITY{IDENTIFIERROLE}' are allowed.
identifiervalueYes  
Role configured in Microsoft Entra ID under App roles.
identifiervalue confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
profileidentifierYes  
Administrator profile for the matching role or group.
profileidentifier confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
FallbackUserGroupYes  
User group to assign if the firewall doesn't find a matching user group locally.
FallbackUserGroup confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.



Operation   Status   Message
Add Microsoft Entra ID (Azure AD) SSO server200
Add Microsoft Entra ID (Azure AD) SSO server500
Add Microsoft Entra ID (Azure AD) SSO server502
Add Microsoft Entra ID (Azure AD) SSO server503
Edit Microsoft Entra ID (Azure AD) SSO server200
Edit Microsoft Entra ID (Azure AD) SSO server500
Edit Microsoft Entra ID (Azure AD) SSO server502
Edit Microsoft Entra ID (Azure AD) SSO server503

© Copyright Sophos Firewall Limited. All rights reserved.
Sophos Firewall is registered trademarks of Sophos Firewall Limited and Sophos Firewall Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.