https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-mfa-prompt-everytime-a-user-logs-in/m-p/586987#M5365 <P>We have setup Globalprotect to connect to EntraID using SAML. Our goal is to have the user get prompted to enter in MFA everytime they connect to the GlobalProtect portal. How can I do this?&nbsp;</P> Thu, 16 May 2024 16:42:42 GMT asiewert 2024-05-16T16:42:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-mfa-prompt-everytime-a-user-logs-in/m-p/586987#M5365 <P>We have setup Globalprotect to connect to EntraID using SAML. Our goal is to have the user get prompted to enter in MFA everytime they connect to the GlobalProtect portal. How can I do this?&nbsp;</P> Thu, 16 May 2024 16:42:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-mfa-prompt-everytime-a-user-logs-in/m-p/586987#M5365 asiewert 2024-05-16T16:42:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-mfa-prompt-everytime-a-user-logs-in/m-p/587044#M5366 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108558">@asiewert</a> ,</P> <P>&nbsp;</P> <P>I believe the default authentication cookie lifetime in Entra is 90 days.&nbsp; I think these are the steps to change it for your PANW GP application in Entra.</P> <P>&nbsp;</P> <OL> <LI>Enterprise Applications &gt; open your GP app</LI> <LI>Protection &gt; Conditional Access</LI> <LI>New Policy</LI> <LI>Access controls &gt; Session</LI> <LI>Sign-in frequency &gt; Periodic reauthentication</LI> </OL> <P><A href="https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime</A></P> <P>&nbsp;</P> <P>I would not set it to 0 as cookie authentication is actually used by Entra (not PANW) for the gateway.&nbsp; That keeps users from being prompted for MFA by the portal <EM>and</EM> gateway.&nbsp; If you want Entra to prompt them every time, 5 minutes should be good.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 16 May 2024 22:50:20 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-mfa-prompt-everytime-a-user-logs-in/m-p/587044#M5366 TomYoung 2024-05-16T22:50:20Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-mfa-prompt-everytime-a-user-logs-in/m-p/587653#M5377 <P>I think the session sign-in frequency is key! I believe this is working for us now. Have not tested it extensively, but every time a user logs into GlobalProtect, EntraID will prompt them for multifactor now.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="asiewert_0-1716391076287.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59988i4849DF15B9E0A81D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="asiewert_0-1716391076287.png" alt="asiewert_0-1716391076287.png" /></span></P> <P>&nbsp;</P> Wed, 22 May 2024 15:19:25 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-mfa-prompt-everytime-a-user-logs-in/m-p/587653#M5377 asiewert 2024-05-22T15:19:25Z