Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.

azure ad

Only took quick search of the forums, but is it possible to authenticate against Azure AD without Azure Domain services??  Has anyone gotten Azure AD auth like this to work??

Just id love to do without the need for the Client Authentication app which sometimes times out on me or overtimes doesnt load / login on startup.

Id love to investigate the idea of using SSO auth with XG and Azure AD (non Domain services) to work.  Is it possible??

Thanks

JK

  • I was about to ask the same question so i'll tag onto this one instead.

    I don't think the Sophos can 'join' Azure AD so I doubt the same SSO auth is possible doing the browser redirection. For STAS to work it would need access to Azure AD "event logs" (or whatever the Azure AD equivalent is).

    It would be awesome if a Sophos rep could chime in and tell me if this is possible or is being worked on.

    James

  • Similar situation here.  I'm currently setting up a new network that will use Azure AD--no on-premise server.  So the question is: How to configure authentication in the XG?  Is it possible to sync with Azure AD?

  • Hi guys,

    I'm already on your path for more than a year and I still cannot authenticate users on sophos xg using AD on Azure.

    I'm using also AADDS but STAS doesn't work because AADDS has limited functionalities.

     

    For Sophos: Please launch a modern authentication mechanism that is able to interact with AzureAD directly. We're no longer using local AD Servers (last 2Y).

     

    Thanks.

     

    Antonio

  • In reply to António Soares:

    I've got sophos synced with azure ad. U do need to sync with central first but then u alter the app manifests on azure apps to get ur groups right.

    Should have said its coming in xg v17.5 so if ur not up for coding it is coming

  • In reply to john_kenny:

    Thanks John for the tip.

    And for those without Sophos Central?

    Cheers,

    António Soares

  • In reply to Antonio Soares:

    I'd recommend getting sophos central and xg with aandstorm it's so worth it.  The new isolation is great which used to require central heartbeat but now central will do an admin isolation with xg its great and v17. 5 has so many new features it's going to be very hard to beat as a product

  • In reply to john_kenny:

    Hi,

    Thanks again for the tip.

    I've registered my devices in Central but I have no option for AzureAD integration. I do however have a sync tool available for AD.

    Cheers,

    António Soares

  • In reply to john_kenny:

    Hi John,

     

    I would really need your help to configure the Azure AD to integrate on the on-premise Sophos XG firewall v18 MR1.

    We do not have an On-premise Domain controller.

     

    Users are already synchronized on Central form Azure AD.

    How do i alter the app manifests to get the groups right?

  • In reply to Elz:

    Azure AD is a feature, which is currently on the roadmap to be integrated in for the future. 

    As Azure AD could be integrated as a Standard LDAP product, unlucky the answers by Azure AD breaks to the common AD. 

    So this is currently not possible to integrate a Azure AD. 

    Simple midterm solution would be to create a small azure appliance and integrate this as a DC with AD Sync. Therefore you can talk to the AD, which is running in the cloud. 

  • In reply to LuCar Toni:

    LuCar Toni,

    Thank you once again for your response.

    I do not plan for a VM, just want to be in the cloud.

    I have Azure AD Sync with Sophos Central and all the users imported from Azure AD and the computers joined to the Azure AD.

    Can the XG firewall support modern authentication like Sophos Central, so the users can be imported to the XG firewall since the they are already on Sophos Central?

    I have been looking for a workaround.

    Have to revert to Mac Address and Client Agent Auth.

     

    How soon can this feature be developed by the engineering team? Many XG customers need this.