Federated Sign In - Setup consequences

Hi,

 

I need to set up federated services between Azure AD and Sophos Central.

Currently Sophos is synced with our on-prem AD which is in a hybrid configuration with Azure.

 

I've read these two articles which seem pretty clear but I'd just like to clear up some doubts.

https://community.sophos.com/kb/en-us/133433

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ep_federatedsignin.html

 

- What will happen to the current synced users and any managed devices that they are assigned to?

- Are there any other considerations?

 

Thanks

  • Hi  

    Active Directory synchronization in your Sophos Central is different than federated sign-in option provided in the Sophos Central.

    If you opt for Federated Sign-in, it will not remove your synced users from your Sophos Central account.

    Federated Sign-in is just providing you with another way of authentication and Sign-in option to not to create another login for the users who are already in your AD.

    AD sync will remain as it is in the Sophos Central.

  • In reply to Jasmin:

    Thanks Jasmin.

     

    So we would end up with duplicate accounts in theory, since the Azure AD is the same as what's on prem (or am I reading that wrongly)?

    I did read something about Enterprise users mentioned in https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ep_federatedsignin.html

     

    Is this AD Enterprise admins or Central admin?

  • In reply to Andrew Thompson2:

    Hi  

    They are talking about Sophos Central Enterprise dashboard admins.

    Central Enterprise dashboard is to manage multiple central consoles which are under different sub estates.

    To know more about it, please refer to this guide.

  • In reply to Jasmin:

    Thanks.

     

    I'm not really sure what is meant by this line though.

    "If an administrator is also an Enterprise admin they can't use the same Microsoft sign-in credentials to sign in to both consoles."

     

    Does this mean if our Enterprise admin uses the same credentials for both estates he will only be able to be that admin in one?

    If so which?

  • In reply to Andrew Thompson2:

    Hi  

    In that statement, they are talking about the Sophos Central Enterprise console and Sophos Central Admin Console regardless of any sub-estates.

    If you have enabled Sophos Central Enterprise Admin and any of your Sophos Central Admin console users are Enterprise Super Admin/ Admin, then above statement is applicable.

  • In reply to Jasmin:

    Thanks Jasmin!

    Just one more question.

    By enabling federative services will that duplicate all of the users in Central?

    Bearing in mind our on-prem AD is synced with Central and Azure.

     

    The impression I'm getting here is that they will be two seperate estates and won't show up in the same console.

     

  • In reply to Andrew Thompson2:

    Hi  

    It will not duplicate all of the users in Central. It just provides you with another way of logging into the Sophos Central dashboard. It just shows those users who log into Sophos Central not all of the users. You synced users will be there without any change.

    Enterprise Admin concept is different. Enterprise Super Admin can log into the Sophos Central Enterprise dashboard and Sophos Central Admin dashboard for any of the sub estates. Because of that, they have mentioned above two different consoles - Enterprise dashboard and Central Admin dashboard.