Sophos ZTNA: Access Sophos Firewall Web Admin from ZTNA (Part 2: Set up a Directory Service)

DisclaimerThis information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This Recommended Reads is Part 2 of the Series "Access the Sophos Firewall Web Admin from ZTNA.
Note: The information in this Recommended is relevant to Setting up a Directory Service in Azure and a Security without following the full series.


Administrator rights to access Azure AD (Entra)

Setup a Directory Service

The Directory Service is used to manage the users and groups that you will give access to.

I am using Microsoft Entra ID, better known as Azure AD, which is also the Identify Provider I will be using.

First access Azure 

Go to Microsoft Entra ID

If you already have a tenant, you can skip the next step, if you don't click Add Tenant,

Select a tenant type = Microsoft Entra ID

Organization name = (Your Organization name (domain))

Initial Domain name = ( that will end up as

Next, we need to register the ZTNA App

Go to Manage > App Registrations 

And click + New Registration 

Name = ZTNA APP (or something meaningful)

Supported Account Types =  Accounts in this organizational directory only (yourdomain only - Single tenant)

Redirect URI = Web

Redirect URI (text box) =

NOTE: The above step (Redirect URI (text box)) is very important since we’re setting up ZTNA in Gateway mode = Sophos Cloud,  (the Sophos Firewall as the ZTNA Gateway); this URL will also work as the ZTNA Portal (The URL the user will enter in their browser to access Agentless apps in ZTNA).

API Permissions

Within the APP you just created, go to API Permissions.


Click + Add a Permission.

In the new side window that opened (Request API permissions) click Microsoft Graph

First, click Application Permissions

in the text box, search for the below and select it

  • Directory.Read.All

Then, click Delegated Permissions 

in the text box, search for the below and select it (you can enter in the text box the name as it is)

  • Directory.Read.All
  • Group.Read.All
  • openID
  • profile (profile is in the openID set of permissions)
  • User.Read
  • User.Read.All

You should end up with the following list (make sure the Type matches)

Note: if you fail to add any of the above permissions, your users will get errors when trying to authenticate

Next, click Grant Admin consent for 

The status of all the API, would change to Granted

Next, we need to create a secret in Azure; this is so the app can identify itself to the authentication service when receiving the token at the URL we provided above.

In the same App Go to Overview

Then go to Client Credentials: Add a certificate or secret.

Client Secrets

+ New Client Secret

In the new side window that opens, enter a Description

Description = ZTNA APP Secret

Expires = Recommended: 180 days (6 months)


and click Add

Note: Every 6 months, you’ll need to regenerate the secret

WARNING: Take a screenshot or copy the Value field ID, as once you move from the window, the Value field won’t show the Value entry, and you need to add this to Sophos Central.

Back to the Certificates & Secrets screen, you’ll see the recently created secret; copy the Value and Secret ID in your Notepad++ for the time being

Create an Azure AD Group (Microsoft Entra ID group) 

Note: If you already have a group, you don't need to follow this step, just make sure to copy the Object ID of the group you want to use. 

Go to Azure Active Directory

Click Groups

Click New Group

New Group 

Group type = Security

Group Name = ZTNA 

And add users by clicking "No members selected"

A new side window will show, search, and select the users that will belong to this group

Once you select your users, click Select and then Create (IF you don't see your group refresh your page)

Please make a note of the object ID as we will need it, to add the group to Sophos Central.

[edited by: emmosophos at 11:16 PM (GMT -8) on 10 Nov 2023]