Copyright © 2024 Sophos Ltd

Getting Started with

Directory Synchronization
in Sophos Central

Sophos Central Endpoint Protection

Version: 5.0v1

[Additional Information]

Sophos Central Endpoint Protection

EP1020: Getting Started with Directory Synchronization in Sophos Central

April 2024
Version: 5.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with Directory Synchronization in Sophos Central - 1

Copyright © 2024 Sophos Ltd

Getting Started with Directory Synchronization in Sophos Central

In this chapter you will learn how to get
started using directory synchronization with
Windows Active Directory and Microsoft
Entra ID.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ How to access and navigate Sophos Central
✓ How users are added to Sophos Central
✓ How to manage and assign role-based user access
controls

DURATION 10 minutes

In this chapter you will learn how to get started using directory synchronization with Windows Active
Directory and Microsoft Entra ID.

Getting Started with Directory Synchronization in Sophos Central - 2

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Sophos Central Directory Synchronization

Windows Active
Directory
Domain Controller Server with AD Sync Sophos Central

Microsoft Entra ID

Microsoft Entra ID Sophos Central

Google Directory
Sophos Central
Google Directory

Sophos Central supports one-way synchronization of users and groups from Microsoft Windows Active
Directory, Microsoft Entra ID, and Google Directory.

For Windows Active Directory synchronization, a small tool is installed on a server that can connect to
the domain controller.

For Microsoft Entra ID and Google Directory synchronization, Sophos Central is the synchronization
tool and will connect directly to Azure or Google to perform synchronization. Please note that Google
Directory synchronization is only available if your license includes Sophos Email.

[Additional Information]
Microsoft Entra ID is the new name for Microsoft Azure AD.
Synchronization with Google Directory help documentation:
https://doc.sophos.com/central/Customer/help/en-
us/PeopleAndDevices/DirectoryService/SetUpSynchronizationWithGoogleDirectory/index.html

Getting Started with Directory Synchronization in Sophos Central - 3

Copyright © 2024 Sophos Ltd

Directory Synchronization

Configuration options

▪ Synchronize multiple Microsoft Entra ID domains

▪ Synchronize device and device groups from a Windows Active Directory and users and user groups from
Microsoft Entra ID or Google Directory for the same domain
▪ Synchronize Windows Active Directory for different domains in the same forest

You can synchronize users and groups from multiple sources as well as synchronize devices, device
groups, public folders, and mailboxes from Active Directory.

You can synchronize multiple Microsoft Entra ID domains to Sophos Central as well as synchronize
devices and device groups from a Windows Active Directory and users and user groups from Microsoft
Entra ID or from Google Directory for the same domain. You can also synchronize Windows Active
Directory for different domains in the same forest, selecting multiple child domains in a single forest.

Getting Started with Directory Synchronization in Sophos Central - 4

Copyright © 2024 Sophos Ltd

Directory Synchronization
Restrictions

x Synchronize users or email addresses to multiple Sophos Central admin accounts.

x Users and email addresses must be unique in each Sophos Central account
x Synchronize multiple Active Directory sources for the same domain
x Synchronize users using both Windows Active Directory and Microsoft Entra ID from the same domain
x Synchronize from more than 25 sources

There are a few restrictions when synchronizing a directory. You are unable to synchronize users or
email addresses to multiple Sophos Central admin accounts. Users and email addresses must be
unique in each Sophos Central account. You cannot synchronize multiple Active Directory sources for
the same domain or synchronize users using both Windows Active Directory and Microsoft Entra ID
from the same domain. It is not possible to synchronize from more than 25 sources.

Getting Started with Directory Synchronization in Sophos Central - 5

Copyright © 2024 Sophos Ltd

Windows Active Directory Synchronization

The Windows AD Sync Tool can be

installed directly onto a Domain
Controller, or any Windows device that
is part of the domain and can connect
to the Domain Controller

We will start with the configuration of Windows Active Directory synchronization. First, navigate to
General Settings > Directory service and select Download AD Sync installer.

The AD Sync Utility uses a small background service installed on a Windows device in your
organization’s domain. This service performs regular one-way synchronization to pull selected users
and groups from your Active Directory and uploads them to Sophos Central.

The AD Sync Utility can be installed on a Domain Controller, alternatively, it can be installed onto any
Windows device that is part of the domain and can connect to the Domain Controller.

Getting Started with Directory Synchronization in Sophos Central - 6

Copyright © 2024 Sophos Ltd

Sophos Credentials

The installer will complete installation The AD Sync Utility Tool is ready to configure

Once the installer has been downloaded, run, and installed, the Active Directory Sync Utility tool will
launch automatically ready for configuration.

Getting Started with Directory Synchronization in Sophos Central - 7

Copyright © 2024 Sophos Ltd

Sophos Credentials

Use API credentials to

authenticate the
connection with the
Active Directory

Configure a proxy
manually if it is
required

First, you must setup the connection to your Sophos Central account. This is done using API
credentials with the ‘Service Principal Directory Sync’ role.

Optionally, you can also configure a proxy if this is required.

Getting Started with Directory Synchronization in Sophos Central - 8

Copyright © 2024 Sophos Ltd

Active Directory Configuration

The user does not need

administrative rights

The next step is to configure the connection to your Active Directory. We strongly recommend using a
secure LDAP connection to the Domain Controller.

You will need to provide the hostname or IP address of the Domain Controller, the port number, which
will be pre-populated but can be edited, and user credentials.

The user does not need administrative rights, any domain user that can read the directory will be
sufficient.

Getting Started with Directory Synchronization in Sophos Central - 9

Copyright © 2024 Sophos Ltd

Active Directory Configuration

The AD Sync Utility supports synchronizing

from multiple domains in a forest

AD Sync Utility can gather and synchronize information from multiple domains within a forest,
however, as you can only configure a single set of credentials, you cannot synchronize from unrelated
domains.

If you do need to synchronize data from unrelated domains, you will need to install the AD sync utility
tool on a device in each domain.

Getting Started with Directory Synchronization in Sophos Central - 10

Copyright © 2024 Sophos Ltd

Active Directory Configuration

Configure search bases

and filters for users and
groups

By default, the AD sync utility will search the entire domain and synchronize everything. You can
control the types of object that are synchronized using the four checkboxes highlighted here. The
options are to sync devices, sync organizational units, sync users and groups, and sync public folders.

These can be managed by configuring search bases and filters for users and groups. This can be
particularly useful if you are working with a large domain. This is done by clicking Define Filters…

Getting Started with Directory Synchronization in Sophos Central - 11

Copyright © 2024 Sophos Ltd

Active Directory Configuration

Click Preview and Sync… to manually

synchronize AD with Sophos Central

Set the synchronization schedule, we

recommend daily synchronization

In the majority of environments Sophos recommends that you configure the AD Sync Utility to
synchronize daily; however, you may want to ensure that any filters and settings work as expected
before enabling the schedule.

Once the configuration is complete, click Preview and Sync…

Getting Started with Directory Synchronization in Sophos Central - 12

Copyright © 2024 Sophos Ltd

Active Directory Configuration

You can review all the changes that will be made before committing them. The tabs indicate how
many users, groups, devices, and organizational units will be synchronized and splits them into
additions, deletions, and modifications. This allows you to confirm that your configuration is working
as expected. Once you approve the changes you can preview and synchronize the data with Sophos
Central.

Getting Started with Directory Synchronization in Sophos Central - 13

Copyright © 2024 Sophos Ltd

Active Directory Synchronization

In Sophos Central, the directory will be listed with the synchronization status.

Getting Started with Directory Synchronization in Sophos Central - 14

Copyright © 2024 Sophos Ltd

Simulation: Configure Windows AD Synchronization

In this simulation you will install and configure the

Windows Active Directory Synchronization utility tool.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/ce/simulation/ADSync/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

Getting Started with Directory Synchronization in Sophos Central - 15

Copyright © 2024 Sophos Ltd

Merging Users

1. User agreen is created 3. Sophos Central matches

manually in Sophos agreen from AD and merges it
Central with the existing user
Anne Green Sophos Central Anne Green

2. AD Sync Utility
synchronizes users from
Active Directory

Active Directory Server AD Sync Utility Anne Green

In some cases, AD Sync Utility may be setup after some users have been created manually; for
example, users that were created during an evaluation or pilot phase.

In this case, AD Sync Utility will merge the users from AD with existing users if their email addresses
match. This will also apply to users that are created automatically when a domain name and logon
name of the user matches.

For example, the user Anne Green in Sophos Central is merged with the user Anne Green from Active
Directory.

Getting Started with Directory Synchronization in Sophos Central - 16

Copyright © 2024 Sophos Ltd

Microsoft Entra ID Synchronization

Let’s look at getting started if you have chosen to use a Microsoft Entra ID synchronization with
Sophos Central.

From the ‘Directory service’ page, select to Add directory service. Enter the name of service and
select the ‘directory type’ from the drop-down menu. You must enter the domain you are going to
synchronize.

Getting Started with Directory Synchronization in Sophos Central - 17

Copyright © 2024 Sophos Ltd

Microsoft Entra ID Synchronization

Once you have entered the details, you will see the synchronization schedule allowing you to
determine how often the directory will be synchronized with Sophos Central.

Getting Started with Directory Synchronization in Sophos Central - 18

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Microsoft Entra ID Synchronization

How to configure Azure applications

This information is required to allow Sophos

Central to connect

In the configuration section, you can view the instructions on how to configure an app in Azure so that
Sophos Central can connect to your Microsoft Entra ID. We will cover these steps in a moment.

Once you have configured the directory you will have four pieces of information. These are required to
allow Sophos Central to connect; the Client ID, client secret, tenant domain, and client secret
expiration date.

[Additional Information]
https://docs.sophos.com/central/Customer/help/en-
us/PeopleAndDevices/DirectoryService/SetUpSynchronizationWithAzureAD/AddAzureApplication/ind
ex.html

Getting Started with Directory Synchronization in Sophos Central - 19

Copyright © 2024 Sophos Ltd

Azure Application Setup

Create an Azure Configure application Find your tenant

Create a client secret
application permissions domain information

Azure directory configuration is completed in four steps, first, create an Azure application, second,
create a client secret. Then configure application permissions, and lastly, locate your tenant domain
information.

All these steps take place on Microsoft Entra ID.

Getting Started with Directory Synchronization in Sophos Central - 20

Copyright © 2024 Sophos Ltd

Create an Azure Application

Select to only access accounts in this

single tenant

The first step is to create, or register, an application in Microsoft Entra ID. This can be done by
selecting App registrations > New registration.

Configure the account types as Accounts in this organization directory only.

Getting Started with Directory Synchronization in Sophos Central - 21

Copyright © 2024 Sophos Ltd

Create an Azure Application

Add a web URI to Sophos Central

In the ‘Redirect URI’ section add a Web URI for https://central.sophos.com. You can now register the
new application.

Getting Started with Directory Synchronization in Sophos Central - 22

Copyright © 2024 Sophos Ltd

Create a Client Secret

The secret value and ID are only shown

ONCE

In the app registration you created, select Certificates & secrets, then click New client secret. Select
how long the secret will be valid and click Add.

You need the value of the secret and the expiry date. Make a note of these and keep them safe. The
secret value is only shown once when you create it and cannot be shown again.

Getting Started with Directory Synchronization in Sophos Central - 23

Copyright © 2024 Sophos Ltd

Configure Application Permissions

Add the Directroy.Read.All permission and grant admin consent

You then need to configure the permissions for your app registration. Select API permissions in the
left-hand menu.

You will see a default permission here; this can be removed. You need to add the Application
permission for Microsoft Graph > Directory.Read.All, then click Grant admin consent for your Azure
AD.

Getting Started with Directory Synchronization in Sophos Central - 24

Copyright © 2024 Sophos Ltd

Find Your Tenant Domain Information

Gather the client ID and domain information

Finally, you need to locate two further pieces of information. First, the ‘Client ID’ of your app
registration, and second the primary domain, which can be found on the overview page of your Entra
ID.

Getting Started with Directory Synchronization in Sophos Central - 25

Copyright © 2024 Sophos Ltd

Microsoft Entra ID Synchronization

Enter the 4 required pieces of information

Using the information gathered you can configure the directory synchronization in Sophos Central.
Ensure that you enter the client secret value not the client secret ID in the client secret field. Enter the
required details then click Test Connection to validate the details entered.

You can optionally filter the users and groups that will be synchronized.

Getting Started with Directory Synchronization in Sophos Central - 26

Copyright © 2024 Sophos Ltd

Microsoft Entra ID Synchronization

To finish, Turn On at the top of the page to save and turn on the source. You can select Save which will
save the configuration changes but not apply them.

Once you have turned the synchronization on, you can manually synchronize users or test the
connection.

Getting Started with Directory Synchronization in Sophos Central - 27

Copyright © 2024 Sophos Ltd

Chapter Review

To synchronize from Windows Active Directory, you need to install the AD Sync Utility on either a Domain
Controller or another Windows device that is a member of the domain. AD Sync Utility needs API
credentials to connect to Sophos Central and a user to connect to the domain.

To synchronize with Microsoft Entra ID, you must create an app registration in Azure. In the app
registration you need to add a client secret and configure the API permissions with Microsoft Graph
Directory.Read.All application permissions.

Existing users that have an email address that matches a user being synchronized will be merged.

Here are the three main things you learned in this chapter.

To synchronize from Windows Active Directory, you need to install the AD Sync Utility on either a
domain controller or another Windows device that is a member of the domain. AD Sync Utility needs
API credentials to connect to Sophos Central and a user to connect to the domain.

To synchronize with Microsoft Entra ID, you must create an app registration in Azure. In the app
registration you need to add a client secret and configure the API permissions with Microsoft Graph
Directory.Read.All application permissions.

Existing users that have an email address that matches a user being synchronized will be merged.

Getting Started with Directory Synchronization in Sophos Central - 35

Copyright © 2024 Sophos Ltd

Getting Started with Directory Synchronization in Sophos Central - 36