I saw the post from 6 months ago about this. I'm posting this again. Hopefully, it will generate more traffic.
Setting up AzureAD user synchronization and enabling users to sign in with Microsoft doesn't appear to actually let anyone sign into the Sophos Self-service Portal. It appears that I still need to send an enrollment email to each user before they can sign in and register their mobile device.
Is this accurate?
If this is by design, that's crazy. Why bother to have controls for sign-in at all? I think allowing users to sign in with their Microsoft credentials should actually... allow users to sign in with Microsoft credentials. Why is it necessary to send everyone an enrollment email?
If I wanted to do that, I wouldn't have bothered to set it up to use Microsoft creds in the first place.
I've already upvoted the suggested fix, I just want to generate traffic about this topic to hopefully push it up the priority list, because the current requirement is nonsensical.
This has to do with the "Self Service role" being assigned to the end-user so that login is permitted. There is an option under "Global Settings > User Access" that will automatically send the end users the setup email upon account creation, to help alleviate the added step for admins.
From an end-user/usability perspective however, I do see how needing to create an additional account would be awfully confusing. I recommend sharing out your suggestion from the Sophos Ideas page so that it is more likely to be implemented in future versions of SMC.
You can update the app using your device's app store or the settings menu if a system update is required. Another option could be clearing cache and data via your device's settings menu