Product and Support News

WatchGuard Cloud Directory for Users and Groups

WatchGuard Cloud Directory for Users and Groups

WatchGuard will launch its Directory to enable customers to manage their users and groups that are not part of an external directory, such as Entra ID (formerly Azure AD), Active Directory, LDAP sources, or Google Cloud Directory for Workspace.

While we recommend that organizations use a cloud directory like Entra ID (Azure AD), or Google Cloud Directory for Workspace we recognize there are cases where these are not applicable or desirable, for example:

  • Very small organizations (fewer than 25 users) and relatively simple access control needs, creating, and managing a cloud domain could be simpler and more cost-effective than implementing a full-fledged directory system.
  • Any sized organization that wants to manage contractors and vendors (third-party access) separately from their employees, managing these users separately from their domain.

With the WatchGuard Cloud Directory, it will be possible to:

  1. Check users’ password against breaches at the moment of the password creation by the user. This prevents known compromised passwords from being created in the first place.
  2. Users and groups are visible throughout the WatchGuard portfolio, important for integrations and upcoming products and services.
  3. Single factor (password) authentication service for new products and services of the WatchGuard portfolio.

As the WatchGuard Cloud Directory evolves in the future, enhancements include:

  1. Enable CSV bulk import for users and groups.
  2. Configurable password requirements and complexity policy.
  3. Device management (in addition to users, groups, resources).
  4. Identity threats visibility, risk scoring (e.g., Password-only without MFA).


Is there any impact in my AuthPoint configuration?

Current and new AuthPoint Multi-factor and AuthPoint Total Identity Security users and groups that are not leveraging   Entra ID (formerly AAD), AD or LDAP directory synchronization will also be created, edited, and deleted through the WatchGuard Cloud Domain when launched.

Due to tighter security requirements for the credential handling in the WatchGuard Cloud Directory, if using a Firebox direct integration with AuthPoint to provide MFA for IKEv2 or L2TP VPN, Fireboxes must be using Fireware version 12.7.2 or above.

RADIUS configurations for IKEv2 and L2TP, need to double-check the MFA options that continue to be supported for authentication policies:

  • Password + Push Notification – This is the recommended configuration.
  • OTP – Option for users that have a hardware token, instead of a mobile token.
  • Password-only - Not recommended, as RADIUS policies do not evaluate risk such as geolocation or network, and provides no identity verification.

As a reminder:  Password + QR Code and Password + OTP are not supported for IKEv2 or L2TP VPN connections.