Azure AD SSO WebAdmin / API permissions


what API permissions do I need for the Azure AD app?

I have reduced it up to the following permissions, seems to work:

Would that be fine?

What I noticed so far:

- on every successful SSO, access_server will log: [OTP_AUTH]: (otp_handle_prepare_authentication_request): Password is NULL

- after logging out and logging in again, identity provider and XG will sometimes re-use the UPN of the previous login. I find that odd, I would expect the Azure AD login page to appear again. This happens sporadically, also. Might be browser or cookie issue, they should be deleted upon logout. I do not have the same issue with other applications set up on Azure AD identity provider.

Apart from that, looks good so far.

Kind regards,


Parents Reply
  • Hi,


    I hope Sophos is aware that Azure AD supports logout URI's for apps? This way the user will not be logged out from all Azure apps, only from this specific app where logout URI was called.

    So if cookies are not removed upon logout, when will reauthentication be needed? E.g. Sophos ZTNA requires reauthentication after 7 days.

    Kind regards,