Double Check Active directory when creating users. When a new user wants to access out VPN, they must login using their AD user account. If they do this, a Sophos account is created that has backend-sync enabled and all is well.
But often, they use their e-mail address instead. In that case, a local account is creatrd with that e-mail address. This account obviously will not have the proper AD group memberships. Trying to create a new account only using the userID is then not possible because an account with that e-mail address already exists.
The only solution is that I manually remove this local account.
It would be VERY simple to check the AD also when a full e-mail address is used and if so, create the synced account instead of a local account.