Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Azure AD SSO WebAdmin / API permissions


what API permissions do I need for the Azure AD app?

I have reduced it up to the following permissions, seems to work:

Would that be fine?

What I noticed so far:

- on every successful SSO, access_server will log: [OTP_AUTH]: (otp_handle_prepare_authentication_request): Password is NULL

- after logging out and logging in again, identity provider and XG will sometimes re-use the UPN of the previous login. I find that odd, I would expect the Azure AD login page to appear again. This happens sporadically, also. Might be browser or cookie issue, they should be deleted upon logout. I do not have the same issue with other applications set up on Azure AD identity provider.

Apart from that, looks good so far.

Kind regards,


Parents Reply
  • Hi,

    one downside would be lack of functionality of the "Logout" button in XG WebAdmin. It basically does nothing except terminating the  associated tomcat session, if I understood it right so far.

    It only makes sense to send the log out to Azure AD also. Applications should always be able to handle logout requests.

    Kind regards,


No Data