Skip to content

Set up directory service

You need a directory service to manage your user groups.

You can use Microsoft Entra ID (Azure AD) or Active Directory. To help you decide which to use, consider the following:

  • If you use Microsoft Entra ID (Azure AD), you can also use it as your identity provider.

  • If you use Active Directory, you'll need a separate identity provider, such as Okta.

In our instructions, we show you how to set up Microsoft Entra ID (Azure AD).

To use Microsoft Entra ID (Azure AD) to manage your users, you need to create an Microsoft Entra ID (Azure AD) tenant, register the ZTNA application, and set up user groups.

You must already have an Microsoft Entra ID (Azure AD) account.


We recommend that you check Microsoft's latest documentation. See Microsoft Entra ID (Azure AD) documentation.

Create an Microsoft Entra ID (Azure AD) tenant

  1. Sign in to your Azure portal.
  2. Select Azure Active Directory.

    Azure portal

  3. In the Microsoft Entra ID (Azure AD) Overview, click Create a tenant.

    Microsoft Entra ID (Azure AD) Overview

  4. On the Basics tab, select Azure Active Directory. Then click Next: Configuration.

    Tenant Basics tab in Microsoft Entra ID (Azure AD)

  5. On the Configuration tab, enter your organization and domain name details. Click Next: Review + Create.

    Tenant Configuration tab in Microsoft Entra ID (Azure AD)

  6. On the next page, review your settings and click Create.

    Final screen to create tenant in Microsoft Entra ID (Azure AD)

Register the ZTNA app

  1. Select Manage > App registrations and click New registration.

    App Registrations page in Microsoft Entra ID (Azure AD)

  2. On the Register an application page, do as follows:

    1. Enter a name.
    2. Accept the default supported account type.
    3. Set a Redirect URI. This is the address that authentication responses are sent to. It must include the ZTNA gateway domain name (FQDN). Here's an example URI:


      If you set up a gateway on Sophos Firewall, you must add a new redirect URI in the following format: https://<gateway’s external FQDN>/ztna-oauth2/callback.

      You can add multiple gateway FQDNs. You can also add more FQDNs at any time.

    4. Click Register.

      Register an application page in Microsoft Entra ID (Azure AD)

  3. Select Manage > API permissions. Then click Add a permission.

    API permissions page in Microsoft Entra ID (Azure AD)

  4. In Request API Permissions, give Sophos Central the permissions needed to read user groups. You need to add Microsoft Graph API permissions, as follows.

    Select Delegated permissions and add these:

    • Directory.Read.All
    • Group.Read.All
    • openID
    • profile (profile is in the openID set of permissions)
    • User.Read
    • User.Read.All

    Select Application permissions and add this:

    • Directory.Read.All

    Delegated permissions are for apps running with a signed-in user. Application permissions allow services to run without a user sign-in.

    Request API Permissions page

  5. On the API Permissions page, you can now see the permissions you've added. Click Grant Admin Consent to give the consent that permissions need.

    Completed API permissions

  6. On the app's Overview page, make a note of the following details. You'll need them later.

    • Client ID
    • Tenant ID

    App details in Microsoft Entra ID (Azure AD)

  7. Click Certificates and secrets. Create a Client secret, make a note of the Value of the client secret, and store it securely.


    The client secret isn't shown again. You can't recover it later.

    New client secret in Microsoft Entra ID (Azure AD)

Create an Microsoft Entra ID (Azure AD) user group


This section assumes you create a new user group. If you import user groups from the Microsoft O365 portal, you must ensure they're security enabled. Groups created in Microsoft Entra ID (Azure AD) are automatically security enabled.

To create a user group in Microsoft Entra ID (Azure AD), do as follows.

  1. Sign in to the Azure portal using a Global administrator account for the directory.
  2. Select Azure Active Directory.
  3. On the Active Directory page, select Groups. Click New Group.

    Screenshot of Groups page in Microsoft Entra ID (Azure AD)

  4. In the New Group dialog, fill out the following fields:

    1. Select a Group type. In this example, Microsoft 365.
    2. Enter a Group name.
    3. Enter a Group email address or accept the default address shown.
    4. Select the Membership type. Use Assigned, which lets you choose specific users and give them unique permissions.
    5. Click Create.

      The group is created.

    Screenshot of New group dialog in Microsoft Entra ID (Azure AD)

  5. On the new group's page, click Members. Then do as follows:

    1. Click Add members.
    2. Search for the users you want and click them.
    3. When you finish, click Select.

    Screenshot of Members tab in Microsoft Entra ID (Azure AD)

    Next, you go to Sophos Central to synchronize user groups with Microsoft Entra ID (Azure AD).