English
Start free trial

June 12, 2026

Entra SSO for SFTP operations: what auditors want to see

Legacy SFTP appliances authenticate with local accounts, shared passwords, and SSH keys stored in spreadsheets. Security teams moved to Entra ID years ago; file-transfer ops often did not follow. When a vendor questionnaire asks how operators access production MFT, "we SSH to a jump box" is no longer a passing answer.

Why Entra SSO matters for file transfer

OIDC federation ties MFT console access to the same identity lifecycle as email and SaaS apps. When someone leaves the company, disabling their Entra account revokes MFT access in minutes — not after someone remembers to delete their SFTP key from three servers. Conditional Access policies (device compliance, location, risk-based step-up) apply uniformly instead of living only on the corporate laptop.

Auditors map this to ISO 27001 A.5.15 (access control) and A.5.16 (identity management). They want evidence: SSO configuration screenshot, group-to-role mapping, and a sample access-review export showing quarterly recertification.

What does not count as SSO

Synchronizing passwords from LDAP into an appliance is not SSO — it is replicated credentials with extra failure modes. "We use the same username as Entra" without federation is a naming convention, not a control. Per-protocol service accounts for automated jobs are fine; human operators must not share them.

Pair SSO with MFA and key hygiene

Entra SSO for the admin console does not replace SSH key governance for partner SFTP drops. External partners still connect with keys or passwords on protocol endpoints. Your internal operators should never reuse partner keys. Enforce TOTP MFA on every human account, rotate keys on a schedule, and document who owns each endpoint.

Use our SFTP key rotation planner to estimate annual rotation workload before you commit to a 90-day policy.

Migration path from appliance SFTP

Phase one: federate operator access to the new MFT console via Entra OIDC. Phase two: migrate protocol endpoints and retire local accounts on the old box. Phase three: export per-transfer audit logs that include federated user IDs, not "admin." xEvolve ships Entra SSO and TOTP MFA as defaults — one Environment, no separate identity module.