Professional Documents
Culture Documents
[Additional Information]
Zero Trust Network Access
ZT1005: Using Azure AD as an Identity Provider for ZTNA
January 2022
Version: 1.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
5 minutes
When you have completed this chapter, you will be able to describe how Azure AD can be used as
an Identity Provider for ZTNA.
Before Azure AD can be configured as an Identity Provider, it must also be configured as a directory
service to manage users and groups.
You need to create an Azure AD tenant in your Azure AD account. You then register the ZTNA
application, and set up user groups.
Configure app
permissions
Add authentication
URLs
An app registration must be created in Azure AD so that Sophos Central can synchronize users and
groups, and ZTNA can authenticate users. You will need to create a client secret that Central uses
to authenticate itself. Once the secret is created it will only be shown once, so it is important to
store it somewhere secure.
Configure app
permissions
Add authentication
URLs
You will need to configure the API permissions for the app registration, which controls what can be
accessed using the client secret you created. Microsoft Graph delegated and application
permissions must be assigned. Delegated permissions are for apps running with a signed-in user.
Application permissions allow services to run without a user sign-in.
[Additional Information]
Microsoft document on adding the permissions required for Sophos Central to sync users and
groups.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-configure-
prerequisites-for-reporting-api
Configure app
permissions
Add authentication
URLs
You need to add redirect URIs for authentication, these are used to redirect back to the application
once the authentication is complete. When creating an app registration for Sophos Central user
synchronization you add https://central.sophos.com. For ZTNA you need to add a callback URI for
each ZTNA gateway. This will be the FQDN of the gateway with /oauth2/callback added, as in the
example
COMPLETE A SIMULATION
In this simulation you will create an app registration in Azure Active Directory that can be used to
synchronize users in Sophos Central and for authenticating with the ZTNA gateway.
[Additional Information]
SIMULATION: https://training.sophos.com/zt/simulation/AzureADAppRegistration/1/start.html
Once you have created the app registration you can setup Azure AD sync in Sophos Central using
the Application (Client) ID and the Client secret.
[Additional Information]
Documentation for configuring Azure AD Synchronization in Sophos Central:
https://docs.sophos.com/central/Customer/help/en-
us/central/Customer/learningContents/AzureSyncSetup.html
https://support.sophos.com/support/s/article/KB-000036435
To set up Azure AD as an Identity Provider you also need the ‘Tenant ID’, which can be found by
clicking on the ‘Display name’ link in the App registrations page.
We’ll now look at how to add Azure AD as an identity provider for ZTNA. The configuration is very
similar to the Azure AD Sync configuration, but also includes the ‘Tenant ID’.
COMPLETE A SIMULATION
In this simulation you will configure Azure AD as an identity provider for ZTNA in Sophos Central.
[Additional Information]
SIMULATION:https://training.sophos.com/zt/simulation/AzureADIdentityProvider/1/start.html
An app registration must be created in Azure AD so that Sophos Central can synchronize
users and groups and ZTNA can authenticate users.
Azure AD must be added as an Identity Provider for ZTNA using the app registration
details and its Tenant ID.
Here are the three main things you learned in this chapter.
Before Azure AD can be configured as an Identity Provider, it must also be configured as a directory
service to manage users and groups.
An app registration must be created in Azure AD so that Sophos Central can synchronize users and
groups and ZTNA can authenticate users.
Information from the app registration and the Azure AD tenant ID is used to add it as an Identity
Provider for ZTNA.