topic Re: Get the info "Users login in Azure domain" to use in policy by groups in General Topics

Get the info "Users login in Azure domain" to use in policy by groups

BigPalo — Tue, 23 Sep 2025 14:56:56 GMT

We are migrating onpremise AD to AZUREAD. The doubt is that these users going to AzureAD and all the info (source name and group belong) can not be retrieved by the FW (as UIA did on premise mode). So how can get the info (users/groups) from AzureAD to configure policy source groups in Palo Alto? We doesnt have any SAML IdP configured in Palo Alto.

Re: Get the info "Users login in Azure domain" to use in policy by groups

TomYoung — Tue, 23 Sep 2025 20:57:56 GMT

Hi @BigPalo ,

CIE can get you the user-to-group mappings. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine

You would need another method to get user-to-IP mappings such as GlobalProtect with Internal Host Detection, Authentication Portal, integration with network login server, etc. https://docs.paloaltonetworks.com/ngfw/administration/user-id/user-id-overview (Scroll down to picture.)

Thanks,

Tom

Re: Get the info "Users login in Azure domain" to use in policy by groups

BigPalo — Wed, 24 Sep 2025 12:52:28 GMT

I found this nice link to configure the CIE. I will follow it to get the LDAP directory.

Related to mappings users/IP. What it would be the less impact way to do it for users which only authenticate in ENTRAID?

i understand GP will cause users instaling clients so its discarded. So what would be a good and no t intrusive method for users?

thanks

Re: Get the info "Users login in Azure domain" to use in policy by groups

BPry — Thu, 25 Sep 2025 14:09:56 GMT

@BigPalo,

Kind of two different ways to do this that are going to do essentially the same thing. You could enforce GlobalProtect for network access and use an internal gateway to tie the authentication to Entra ID through SAML SSO, or you utilize an authentication portal with SAML SSO to Entra ID to do effectively the same thing just through the browser solely itself.

The reason I personally don't love just using an authentication policy and the authentication portal is that a user only using apps like Slack, Webex, or Teams won't actually immediately be redirected to the portal. It works fine if your users live in a browser all day, but GlobalProtect is the most straightforward solution in this case. It's a good stop-gap if we're talking about personal machines here, but if these are company owned endpoints just push the agent through Intune and be done with it would be my suggestion.

Re: Get the info "Users login in Azure domain" to use in policy by groups

TomYoung — Thu, 25 Sep 2025 15:12:11 GMT

Hi @BigPalo ,

As @BPry said, GlobalProtect is going to be one of the most effective solutions. There are other options depending upon your environment. For example, in my company everyone has to log into the network (802.1x) whether it is wired or wireless. So, I have their identity in my RADIUS server. I forward the authentication logs to a firewall, then I redistribute them to the other firewalls. That works very well for me. Please also take a look at the User-ID Overview URL I posted above. One of those solutions could work in your environment.

Thanks,

Tom

Re: Get the info "Users login in Azure domain" to use in policy by groups

BigPalo — Thu, 16 Oct 2025 08:31:27 GMT

Im trying with SAML and auth policy and captive portal but im getting errors in decryption and these stuffs.

Do you have any link about how to configure this SAML authportal..?