Problems with user sync and AAD for endpoint deployments

I setup a new account & tenancy for Sophos and AAD earlier this month.

Got the AAD Sync setup, users populated across based on the group set and all seemed fine.

Started deploying Sophos through InTune this week and I find that the 'People' tab in Central is now essentially dual populated.

It's got ticked entries for all the users who are installed, e-mail address and such - and it's got the 'AzureAD\username' entries for what the Sync had populated. Though the AzureAD entries don't have a an email address - which seems to be the main difference and what I can only suspect is root of the issue. Like Sophos is recognising logins by UPN rather than AzureAD.

This in turn suggests to me that I've got the Sync setup wrong - but I'm not clear on how exactly I'm supposed to set it to pick up by UPN. Should I be doing it by user filter rather than group ID?

Any suggestions welcomed.

Parents
  • As a test, would it be possible for you to try uninstalling Sophos from one of the devices, and to delete the user and device entry that was created?

    If you could then try manually installing the Sophos Agent onto the device in question while logged in with the AD User you would like the device to be associated with, this will help us determine if the InTune deployment method is playing a part in the results you are getting. 

    Generally, the device/user associated will be determined based on the UserID that is logged in. If the Domain\Username matches exactly, you should not see the user entries duplicated. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • As a test, would it be possible for you to try uninstalling Sophos from one of the devices, and to delete the user and device entry that was created?

    If you could then try manually installing the Sophos Agent onto the device in question while logged in with the AD User you would like the device to be associated with, this will help us determine if the InTune deployment method is playing a part in the results you are getting. 

    Generally, the device/user associated will be determined based on the UserID that is logged in. If the Domain\Username matches exactly, you should not see the user entries duplicated. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Hi Kushal,

    I understand where you're coming from, but there's no rhyme or reason as to what profile is reporting as the current/active one. Some are the identities from the AD Sync and some are the local device identities - and since every device has been installed via InTune it rather nullifies your theory.

    Any other suggestions? Or should I take this to a full blown support ticket?