topic Re: AZURE Entra MFA for admin access via CLI in Next-Generation Firewall Discussions

AZURE Entra MFA for admin access via CLI

Carleton — Thu, 22 May 2025 15:16:41 GMT

We are easily able to setup MFA for the Web UI for the management port vial SAML and Entra SAML auth. We have run into some challenges I was surprised exist. First here are the requirements and goals

PA VM series firewalls in AZURE.
No On prem AD, ISE or Kerberos dependencies. Our goal it to be 10)% clouds based.
MFA to manage the PA for both web UI and CLI.

Problem

We have not been able to find a way to leverage SAML or other MS Entra solutions to lock down the Managment port access for both WEBV and CLI, SAML Auth only works with the web UI. Every other solution we have found involves buying a one off solution Just for the PA - unacceptable.
Second the built-in admin account can't be disabled or MFA forced to use the account. I cant believe the main supersuser account cant be locked down or disabled.

Re: AZURE Entra MFA for admin access via CLI

TomYoung — Tue, 27 May 2025 13:32:56 GMT

Hi @Carleton ,

I don't know why PANW does not allow SAML for CLI access. https://docs.paloaltonetworks.com/compatibility-matrix/reference/mfa-vendor-support

You could do MFA with a local NPS server pointed to Entra. That is not 3rd party but it does require a local server. https://learn.microsoft.com/en-us/entra/architecture/auth-radius

I have not tested it, but this person has found a way to not allow the local account to work if RADIUS is up. https://live.paloaltonetworks.com/t5/general-topics/local-authentication-should-not-work-if-when-radius-is-available/td-p/511849 EDIT2: @reaper may have a simpler way -> https://live.paloaltonetworks.com/t5/next-generation-firewall/to-force-ngfw-login-using-saml-sso/td-p/1229870.

However, you cannot use SAML in an authentication sequence. Again, RADIUS to NPS would solve that problem.

I think you have valid points. The solution would be to ask your PANW SE to create feature requests. I don't think the business units look at this forum for ideas.

Thanks,

Tom

EDIT: The RADIUS users may have to log onto the GUI 1st before the CLI will work. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3qCAC

Re: AZURE Entra MFA for admin access via CLI

reaper — Mon, 02 Jun 2025 13:08:39 GMT

I think @TomYoung provided you with some good pointers regarding the SAML auth, but i'm wondering about your second question

are you logged in as the 'admin' account when you try to change it?

unless you set the admin account up in a bootstrap and are rebooting the vm all the time and calling the bootstrap to rebuild the admin account, the default "admin" account is not locked. You can delete it, rename it, change it any way you like if you first create and log in as a different superuser

Re: AZURE Entra MFA for admin access via CLI

Carleton — Mon, 09 Feb 2026 15:23:07 GMT

I am aware of NPS and these methods which I am trying to get away from them. The new CIE is a hack at best too. I really don't understand why Palo Alto releases so many half baked solutions