Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-Azure

Microsoft Entra ID (Azure AD) server

You can use Microsoft Entra ID to authenticate a user signing in to the web admin console of the firewall. The Microsoft Entra ID integration with the firewall enables you to dynamically manage administrators using role and group mapping. It provides a centralized platform to securely control access to your applications, data, and resources through the firewall.

Role and group mapping

You can use role or group mapping to control access and identify the users signing in to the firewall. In Azure, you create an application for the firewall, create application roles or groups, and assign users to the application. When a user signs in to the firewall, Microsoft Entra ID sends a token containing information about that user. The firewall uses the role or group values to identify the users and authenticates only those with the application roles or groups configured for the firewall.

Signing out of the firewall

When a Microsoft Entra ID user signs out of the firewall, the authentication token isn't removed from the browser. The token remains valid for seven days from the first sign-in. So, when the user clicks SSO to sign in to the firewall again, they're automatically signed in if their token is still valid.

The firewall doesn't support Microsoft Entra ID's single sign-out feature (LogoutURL).

Logs for troubleshooting

You can see logs related to the Microsoft Entra ID integration in the following locations:

  • On the command-line console, you can see logs in the /log/oauth_sso_webadmin.log​ file.
  • In the log viewer, Microsoft Entra ID logs appear with the Admin log type.​

Restrictions

  • Currently, the native firewall integration with Microsoft Entra ID using the OAuth 2.0 and OpenID Connect (OIDC) protocols only supports authentication for the web admin console. It doesn't support authentication for end users. It also doesn't support rules and policies configured to match users, such as firewall rules and SD-WAN routes.

    Note

    Alternatively, to use Microsoft Entra ID authentication for the web admin console, captive portal, user portal, and client authentication agent (CAA), you can integrate the firewall with Microsoft Entra ID using the Microsoft Entra ID Domain Services. See Sophos Firewall: Integrate Sophos Firewall with Microsoft Entra ID.

  • In an HA deployment, you can't currently sign in to the web admin console of the auxiliary device using Microsoft Entra ID SSO.

Integrate Microsoft Entra ID with the firewall

To integrate Microsoft Entra ID with the firewall, you must do as follows:

  1. Configure Microsoft Entra ID in Azure Portal. See Configure Microsoft Entra ID (Azure AD) in Azure Portal.
  2. Add the Microsoft Entra ID server in the firewall. See Add a Microsoft Entra ID (Azure AD) server.

This video takes you through integrating Microsoft Entra ID with the firewall.