Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/Mobile/help/en-us/index.html?contextId=sse-modern-auth

Set up modern authentication for Sophos Secure Email

When you set up modern authentication for Sophos Secure Email, users access their Exchange accounts via your organization’s Microsoft 365 sign-in page.

Restriction

Managing Sophos Secure Email with Sophos Mobile is only available for Sophos Central accounts created before October 1, 2022 and for accounts migrated from an on-premise installation of Sophos Mobile.

Requirements

To set up modern authentication for Sophos Secure Email, do as follows:

  1. Sign in to the Microsoft Azure portal with your Azure administrator account.
  2. Go to App registrations.
  3. Select New registration.
  4. In Name, enter a name for the application, for example Sophos Secure Email.

  5. In Redirect URI, enter the following text:

    sophos://sse/auth

  6. Click Register.

  7. On the application’s overview page, copy the value that is displayed under Application (client) ID.

    You need this value and the values from the following step later in this procedure.

  8. Click Endpoints and then copy the values displayed under OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2).

  9. On the application’s overview page, click API permissions > Add a permission > APIs my organization uses.
  10. Search for the Office 365 Exchange Online API.

  11. Under Delegated permissions, select the following permissions:

    • EAS.AccessAsUser.All (from the EAS section)
    • EWS.AccessAsUser.All (from the EWS section)

  12. Click Add permissions.

  13. Under Configured permissions, click Grant admin consent.

Perform the following steps in Sophos Central Admin:

  1. In Sophos Central Admin, go to My Products > Mobile.

  2. Go to Policies and edit the Sophos container policy that contains the Work email configuration.

    If you have several policies with a Work email configuration, you must edit them all.

  3. Under OAuth 2.0, configure the following settings:

    • Turn on OAuth 2.0: Select this setting.
    • Authorization endpoint: Enter the value displayed in the Azure portal under OAuth 2.0 authorization endpoint (v2).
    • Client ID: Enter the value displayed in the Azure portal under Application (client) ID.

    • Redirect URI: Enter the following text:

      sophos://sse/auth

    • Token endpoint: Enter the value displayed in the Azure portal under OAuth 2.0 token endpoint (v2).

  4. Click Apply and Save.

Sophos Secure Email starts using your organization’s Microsoft 365 authentication the next time the device connects to Sophos Central.