Using Azure AD as an Identity

Provider for ZTNA

Zero Trust Network Access

Version: 1.0v1

[Additional Information]
Zero Trust Network Access
ZT1005: Using Azure AD as an Identity Provider for ZTNA

January 2022
Version: 1.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Using Azure AD as an Identity Provider for ZTNA - 1

 Using Azure AD as an Identity Provider for ZTNA

When you have completed this RECOMMENDED KNOWLEDGE AND EXPERIENCE

chapter, you will be able to We recommend you have the knowledge up to and
describe how Azure AD can be including the chapter Sophos ZTNA
used as an Identity Provider for
ZTNA.

DURATION

5 minutes

When you have completed this chapter, you will be able to describe how Azure AD can be used as
an Identity Provider for ZTNA.

Using Azure AD as an Identity Provider for ZTNA - 2

 Azure AD Directory Service

Azure AD must be configured as a directory service to manage

users and groups

Create an Azure AD tenant

Register the ZTNA application and set up user groups

Before Azure AD can be configured as an Identity Provider, it must also be configured as a directory
service to manage users and groups.

You need to create an Azure AD tenant in your Azure AD account. You then register the ZTNA
application, and set up user groups.

Using Azure AD as an Identity Provider for ZTNA - 3

 Azure AD App Registration
Azure Active Directory: Create an app registration

Create a client secret

Configure app
permissions

Add authentication
URLs

An app registration must be created in Azure AD so that Sophos Central can synchronize users and
groups, and ZTNA can authenticate users. You will need to create a client secret that Central uses
to authenticate itself. Once the secret is created it will only be shown once, so it is important to
store it somewhere secure.

Using Azure AD as an Identity Provider for ZTNA - 4

 Additional information
Azure AD App Registration in the notes
Azure Active Directory: Create an app registration

Create a client secret

Configure app
permissions

Add authentication
URLs

You will need to configure the API permissions for the app registration, which controls what can be
accessed using the client secret you created. Microsoft Graph delegated and application
permissions must be assigned. Delegated permissions are for apps running with a signed-in user.
Application permissions allow services to run without a user sign-in.

The set of permissions required are shown here.

[Additional Information]
Microsoft document on adding the permissions required for Sophos Central to sync users and
groups.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-configure-
prerequisites-for-reporting-api

Full set of permissions required for ZTNA:

Directory.Read.All (Delegated)
Directory.Read.All (Application)
Group.Read.All (Delegated)
User.Read (Delegated)
User.Read.All (Delegated)

Using Azure AD as an Identity Provider for ZTNA - 5

 Azure AD App Registration
Azure Active Directory: Create an app registration

Create a client secret

Configure app
permissions

Add authentication
URLs

You need to add redirect URIs for authentication, these are used to redirect back to the application
once the authentication is complete. When creating an app registration for Sophos Central user
synchronization you add https://central.sophos.com. For ZTNA you need to add a callback URI for
each ZTNA gateway. This will be the FQDN of the gateway with /oauth2/callback added, as in the
example

Using Azure AD as an Identity Provider for ZTNA - 6

 Azure AD App Registration
Azure Active Directory: Create an app registration

COMPLETE A SIMULATION

In this simulation you will create an app registration in Azure Active Directory that can be used to
synchronize users in Sophos Central and for authenticating with the ZTNA gateway.

[Additional Information]
SIMULATION: https://training.sophos.com/zt/simulation/AzureADAppRegistration/1/start.html

Using Azure AD as an Identity Provider for ZTNA - 7

 Additional information
Central Azure AD Synchronization in the notes

Once you have created the app registration you can setup Azure AD sync in Sophos Central using
the Application (Client) ID and the Client secret.

[Additional Information]
Documentation for configuring Azure AD Synchronization in Sophos Central:

https://docs.sophos.com/central/Customer/help/en-
us/central/Customer/learningContents/AzureSyncSetup.html

https://support.sophos.com/support/s/article/KB-000036435

Using Azure AD as an Identity Provider for ZTNA - 8

 Azure AD App Registration
Azure Active Directory: Find the Tenant ID

To set up Azure AD as an Identity Provider you also need the ‘Tenant ID’, which can be found by
clicking on the ‘Display name’ link in the App registrations page.

Using Azure AD as an Identity Provider for ZTNA - 9

 ZTNA Identity Provider
Sophos Central: Configure ZTNA Identity Provider

We’ll now look at how to add Azure AD as an identity provider for ZTNA. The configuration is very
similar to the Azure AD Sync configuration, but also includes the ‘Tenant ID’.

Using Azure AD as an Identity Provider for ZTNA - 10

 Azure AD ZTNA Identity Provider
Sophos Central: Configure Azure AD as a ZTNA Identity Provider

COMPLETE A SIMULATION

In this simulation you will configure Azure AD as an identity provider for ZTNA in Sophos Central.

[Additional Information]
SIMULATION:https://training.sophos.com/zt/simulation/AzureADIdentityProvider/1/start.html

Using Azure AD as an Identity Provider for ZTNA - 11

 Chapter Review

Azure AD must be configured as a directory service to manage users and groups.

An app registration must be created in Azure AD so that Sophos Central can synchronize
users and groups and ZTNA can authenticate users.

Azure AD must be added as an Identity Provider for ZTNA using the app registration
details and its Tenant ID.

Here are the three main things you learned in this chapter.

Before Azure AD can be configured as an Identity Provider, it must also be configured as a directory
service to manage users and groups.

An app registration must be created in Azure AD so that Sophos Central can synchronize users and
groups and ZTNA can authenticate users.

Information from the app registration and the Azure AD tenant ID is used to add it as an Identity
Provider for ZTNA.

Using Azure AD as an Identity Provider for ZTNA - 12

Using Azure AD as an Identity Provider for ZTNA - 17