Set up directory service
You need a directory service to manage your user groups.
You can use Microsoft Entra ID (Azure AD) or Active Directory. To help you decide which to use, consider the following:
If you use Microsoft Entra ID (Azure AD), you can also use it as your identity provider.
If you use Active Directory, you'll need a separate identity provider, such as Okta.
In our instructions, we show you how to set up Microsoft Entra ID (Azure AD).
To use Microsoft Entra ID (Azure AD) to manage your users, you need to create an Microsoft Entra ID (Azure AD) tenant, register the ZTNA application, and set up user groups.
You must already have an Microsoft Entra ID (Azure AD) account.
We recommend that you check Microsoft's latest documentation. See Microsoft Entra ID (Azure AD) documentation.
Create an Microsoft Entra ID (Azure AD) tenant
- Sign in to your Azure portal.
Select Azure Active Directory.
In the Microsoft Entra ID (Azure AD) Overview, click Create a tenant.
On the Basics tab, select Azure Active Directory. Then click Next: Configuration.
On the Configuration tab, enter your organization and domain name details. Click Next: Review + Create.
On the next page, review your settings and click Create.
Register the ZTNA app
Select Manage > App registrations and click New registration.
On the Register an application page, do as follows:
- Enter a name.
- Accept the default supported account type.
Set a Redirect URI. This is the address that authentication responses are sent to. It must include the ZTNA gateway domain name (FQDN). Here's an example URI:
If you set up a gateway on Sophos Firewall, you must add a new redirect URI in the following format:
https://<gateway’s external FQDN>/ztna-oauth2/callback.
You can add multiple gateway FQDNs. You can also add more FQDNs at any time.
Select Manage > API permissions. Then click Add a permission.
In Request API Permissions, give Sophos Central the permissions needed to read user groups. You need to add Microsoft Graph API permissions, as follows.
Select Delegated permissions and add these:
- profile (profile is in the openID set of permissions)
Select Application permissions and add this:
Delegated permissions are for apps running with a signed-in user. Application permissions allow services to run without a user sign-in.
On the API Permissions page, you can now see the permissions you've added. Click Grant Admin Consent to give the consent that permissions need.
On the app's Overview page, make a note of the following details. You'll need them later.
- Client ID
- Tenant ID
Click Certificates and secrets. Create a Client secret, make a note of the Value of the client secret, and store it securely.
The client secret isn't shown again. You can't recover it later.
Create an Microsoft Entra ID (Azure AD) user group
This section assumes you create a new user group. If you import user groups from the Microsoft O365 portal, you must ensure they're security enabled. Groups created in Microsoft Entra ID (Azure AD) are automatically security enabled.
To create a user group in Microsoft Entra ID (Azure AD), do as follows.
- Sign in to the Azure portal using a Global administrator account for the directory.
- Select Azure Active Directory.
On the Active Directory page, select Groups. Click New Group.
In the New Group dialog, fill out the following fields:
- Select a Group type. In this example, Microsoft 365.
- Enter a Group name.
- Enter a Group email address or accept the default address shown.
- Select the Membership type. Use Assigned, which lets you choose specific users and give them unique permissions.
The group is created.
To check the created user group is security enabled, do as follows:
- Go to Manage view > Edit columns.
Under Columns, select Security enabled, then click Save.
Under the Security enabled column, the status should show as Yes.
On the new group's page, click Members. Then do as follows:
- Click Add members.
- Search for the users you want and click them.
- When you finish, click Select.
Next, you go to Sophos Central to synchronize user groups with Microsoft Entra ID (Azure AD).