topic Re: Configure VPN GP wit Microsoft Authenticator in General Topics

Configure VPN GP wit Microsoft Authenticator

BigPalo — Fri, 06 Feb 2026 09:45:37 GMT

Hi,

i would like to configure my VPN using MAuthenticator. Anyone has a guide for this?

i was checking this link but im not sure if this config should be used if you have EntraID AD in the cloud or not:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/palo-alto-networks-globalprotect-tutorial

We have AD in server onpremise.

Re: Configure VPN GP wit Microsoft Authenticator

BPry — Fri, 06 Feb 2026 22:49:22 GMT

@BigPalo,

So with on-premise AD without Entra setup at all you don't want to follow these instructions. You would want to setup GlobalProtect from the sounds of it with an TOTP capable app and what your instructions are trying to do is establish Entra as a SAML provider.

Unfortunately there's not a super straightforward way to accomplish this. I know that you used to be able to do this for free with a combination of FreeRADIUS and it's PAM module and that it worked well. Whether that's still actively being supported and maintained or not I don't have any recent experience with.

https://networkjutsu.com/freeradius-google-authenticator/

Re: Configure VPN GP wit Microsoft Authenticator

TomYoung — Sun, 08 Feb 2026 00:41:27 GMT

Hi @BigPalo ,

I have setup GP with Entra ID with MFA using those instructions. I have also set it up for customers. There is one error that needs to be corrected. Two of the URLs need to have the :443 as identified in red in this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE.

Thanks,

Tom

Re: Configure VPN GP wit Microsoft Authenticator

zeldabrady98 — Fri, 13 Feb 2026 05:13:48 GMT

The Microsoft Learn article you referenced—“Tutorial: Azure AD integration with Palo Alto Networks GlobalProtect”—is specifically designed for cloud-only or hybrid identity environments using Microsoft Entra ID (formerly Azure Active Directory) as the identity provider (IdP) for SAML-based authentication to GlobalProtect.

Since you mentioned that your organization uses on-premises Active Directory (AD) and did not indicate a cloud-based Entra ID setup (e.g., no synchronization via Azure AD Connect or cloud-only users), this guide may not be directly applicable unless you have already configured federation between your on-premises AD and Entra ID (e.g., using AD FS or another SAML IdP integrated with Entra ID).

Key Considerations:

Authentication Architecture:
- If your VPN (e.g., Palo Alto Global Protect) authenticates users directly against on-premises AD (via LDAP, RADIUS, or Kerberos), then Microsoft Authenticator (or Authenticator) would typically not be involved unless you layer Multi-Factor Authentication (MFA) on top.
- To use Microsoft Authenticator for MFA, you generally need Microsoft Entra ID (with P1/P2 licenses) or Azure MFA Server (now deprecated). Since Azure MFA Server is retired, modern deployments rely on Entra ID-based MFA.
On-Premises AD + MFA Options:
- If you wish to keep authentication on premises but still use Microsoft Authenticator for MFA, you have two main paths:
  - Option A: Deploy Active Directory Federation Services (AD FS) on-premises and integrate it with Entra ID (hybrid identity). Then configure GlobalProtect to use Entra ID (via SAML) as the IdP, which triggers MFA via Microsoft Authenticator.
  - Option B: Use RADIUS with Network Policy Server (NPS) extended by the Azure MFA NPS extension. This allows on-premises RADIUS clients (like firewalls) to trigger MFA challenges via Microsoft Authenticator through Entra ID, while primary authentication remains against on-prem AD.
Relevant Documentation:
- For Option B (NPS Extension):
  Azure Multi-Factor Authentication NPS extension
- For Option A (SAML + Entra ID):
  The GlobalProtect tutorial you linked is appropriate only if you route authentication through Entra ID.

Recommendation:

If you do not currently use Entra ID and authenticate solely against on-prem AD, the linked tutorial is not suitable as-is.
To leverage Microsoft Authenticator, you will need to integrate your on-prem AD with Entra ID (typically via Azure AD Connect) and enable Entra ID MFA.
Once that foundation is in place, you can choose either the SAML (cloud-first) or RADIUS/NPS (on-prem-first) approach based on your network architecture and security policies.