Configure Microsoft Entra ID (Azure AD) to allow users to sign in using UPN
You can configure Microsoft Entra ID (Azure AD) to allow users to sign in using their User Principal Name (UPN) if it's different from their email address.
You must do as follows:
- Set up Microsoft Entra ID (Azure AD) in the Azure portal.
- Add Microsoft Entra ID (Azure AD) as an identity provider in Sophos Central.
Set up Microsoft Entra ID (Azure AD) in the Azure portal
To set up Microsoft Entra ID (Azure AD) in the Azure portal, you must do as follows:
- Create an Azure application.
- Set up authentication for the application.
- Set up token configuration.
- Assign application permissions.
Create an Azure application
Do as follows:
- Sign in to your Azure portal.
- Search for
App registrations
. -
In the left pane, click App registrations.
-
In the right pane, click New registration.
-
Enter a name for the application.
-
Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).
-
Under Redirect URI (optional), select Single-page application (SPA) and enter
https://federation.sophos.com/login/callback
. -
Click Register.
Set up authentication for the application
Do as follows:
- In the application you created, click Authentication.
- Under Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows).
- Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).
-
Click Save.
Set up token configuration
Do as follows:
- In the application you created, click Token configuration.
- Under Optional claims, click Add optional claim.
-
Under Token type, select ID and then select email.
-
Click Add.
-
In the pop-message, click Turn on the Microsoft Graph email permission.
-
Click Add.
Assign application permissions
Do as follows:
- In the application you created, click API permissions.
-
Under Configured permissions, click Grant admin consent for <account>.
-
Click Yes.
Add Microsoft Entra ID (Azure AD) as an identity provider in Sophos Central
Do as follows:
-
In Sophos Central, go to Global Settings > Federated identity providers.
-
Click Add identity provider.
- Enter a Name and Description.
- Click Type and choose OpenID Connect.
- Click Vendor and choose Microsoft Entra ID (Azure AD).
- Skip Step A: Setup OpenID Connect because you've already set up Microsoft Entra ID (Azure AD) in the Azure portal.
-
For Step B: Configure OpenID Connect settings, do as follows:
-
For Client ID, enter the client ID of the application you created in Azure.
To find this, do as follows:
- In the Azure portal, go to App registrations.
- Select the application you created.
- Copy the ID in Application (client) ID and paste it in Client ID in Sophos Central.
-
For Issuer, enter the following URL:
https://login.microsoftonline.com/<tenantId>/v2.0
Replace
<tenantId>
with the tenant ID of your Azure instance.To find this, do as follows:
- In the Azure portal, go to App registrations.
- Select the application you created.
- Copy the ID in Directory (tenant) ID and replace
<tenantId>
with it in the URL.
-
For Authz endpoint, enter the following URL:
https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/authorize
Replace
<tenantId>
with the tenant ID you copied in step b. -
For JWKS URL, enter the following URL:
https://login.microsoftonline.com/<tenantId>/discovery/v2.0/keys
Replace
<tenantId>
with the tenant ID you copied in step b.
-
-
Click Select a domain and choose your domain.
You can add more than one domain. You can only associate a user with one domain.
-
Select whether you want to turn on IDP-enforced MFA. Select one of the following:
- IdP enforced MFA
- No IdP enforced MFA
-
Click Save.
Sign-in workflow
Here's how users and administrators sign in using their UPN:
-
Users and administrators sign in with their associated email address in Sophos Central.
-
They're shown a screen depending on the selections in Sophos sign-in settings.
-
If you've chosen Sophos Central Admin or Federated credentials in Global Settings > Sophos sign-in settings, they're shown a screen that allows them to sign in with either option.
To sign in using UPN, they must do as follows:
-
Click Sign in with SSO.
They're shown the Microsoft Azure sign-in page.
-
Enter the UPN and password.
-
-
If you've chosen Federated credentials only in Global Settings > Sophos sign-in settings, they're shown the Microsoft Azure sign-in page where they can enter the UPN and password.
-