topic Globalprotect VPN with SAML Azure + MFA - no login prompt after disconnecting! in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-vpn-with-saml-azure-mfa-no-login-prompt-after/m-p/1235028#M6936 <DIV class="text-neutral-content"> <DIV class="mb-sm mb-xs px-md xs:px-0 overflow-hidden" data-post-click-location="text-body"> <DIV id="t3_1md41rt-post-rtjson-content" class="md text-14-scalable" style="--emote-size: 20px;"> <P>Hey there,<BR /><BR /></P> <P>I have an issue trying to implement Globalprotect authentification via Azure MFA SAML. Our goal is that the user is asked to login with MFA everytime he tries to connect to our portal, which doesn't work. Basically the first time the user is trying to connect to our portal the user get's redirected over his browser to the Microsoft login page and asked to login with his user and MFA, which works fine like expected. <BR /><BR />But when the user disconnects from Globalprotect, logsoff his user in Windows or even restarts the computer the user is not prompted anymore when he is connecting to our portal, meaning there is no authentication prompt whatsoever for an infinitive time, which is a security risk for us. The only way the user is redirected to Microsoft again to authenticate if the user has connected to another portal between.<BR /><BR /></P> <P>Things i tried:<BR /><BR /></P> <UL> <LI> <P>I turned of any authentication cookie override settings on the firewall</P> </LI> <LI> <P>set condition access policy sign in frequency (under session) to everytime in Azure</P> </LI> <LI> <P>deleted browser caches</P> </LI> </UL> <P>But nothing seems to work! So checking in the Azure-SignIn-Logs I found out that the second login is satisified with <STRONG>"Primary Refresh Token"</STRONG>. So it seems like even after disconnecting from GlobalProtect the Token is somewhere saved and used for all further logins. Reading on the internet it seems like this token is valid for weeks or even months? Furthermore there is no way to set ForceAuth=true to force reauthentification from our firewall to Microsoft, because there is no checkbox or field i can see in the authentication profile.<BR /><BR /></P> <P>Has anyone an idea how in the world I'm able to force users to use their Microsoft login with MFA everytime they are trying to connect to our portal via Globalprotect?</P> </DIV> </DIV> </DIV> Wed, 30 Jul 2025 11:33:29 GMT Wimazal 2025-07-30T11:33:29Z Globalprotect VPN with SAML Azure + MFA - no login prompt after disconnecting! https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-vpn-with-saml-azure-mfa-no-login-prompt-after/m-p/1235028#M6936 <DIV class="text-neutral-content"> <DIV class="mb-sm mb-xs px-md xs:px-0 overflow-hidden" data-post-click-location="text-body"> <DIV id="t3_1md41rt-post-rtjson-content" class="md text-14-scalable" style="--emote-size: 20px;"> <P>Hey there,<BR /><BR /></P> <P>I have an issue trying to implement Globalprotect authentification via Azure MFA SAML. Our goal is that the user is asked to login with MFA everytime he tries to connect to our portal, which doesn't work. Basically the first time the user is trying to connect to our portal the user get's redirected over his browser to the Microsoft login page and asked to login with his user and MFA, which works fine like expected. <BR /><BR />But when the user disconnects from Globalprotect, logsoff his user in Windows or even restarts the computer the user is not prompted anymore when he is connecting to our portal, meaning there is no authentication prompt whatsoever for an infinitive time, which is a security risk for us. The only way the user is redirected to Microsoft again to authenticate if the user has connected to another portal between.<BR /><BR /></P> <P>Things i tried:<BR /><BR /></P> <UL> <LI> <P>I turned of any authentication cookie override settings on the firewall</P> </LI> <LI> <P>set condition access policy sign in frequency (under session) to everytime in Azure</P> </LI> <LI> <P>deleted browser caches</P> </LI> </UL> <P>But nothing seems to work! So checking in the Azure-SignIn-Logs I found out that the second login is satisified with <STRONG>"Primary Refresh Token"</STRONG>. So it seems like even after disconnecting from GlobalProtect the Token is somewhere saved and used for all further logins. Reading on the internet it seems like this token is valid for weeks or even months? Furthermore there is no way to set ForceAuth=true to force reauthentification from our firewall to Microsoft, because there is no checkbox or field i can see in the authentication profile.<BR /><BR /></P> <P>Has anyone an idea how in the world I'm able to force users to use their Microsoft login with MFA everytime they are trying to connect to our portal via Globalprotect?</P> </DIV> </DIV> </DIV> Wed, 30 Jul 2025 11:33:29 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-vpn-with-saml-azure-mfa-no-login-prompt-after/m-p/1235028#M6936 Wimazal 2025-07-30T11:33:29Z