topic Re: Connect Palo Alto with Azure AD in General Topics

Connect Palo Alto with Azure AD

Matias_Cova — Tue, 13 Dec 2016 15:32:36 GMT

Hi, It's possible make this integration? Is the same configuration like a Windows Server AD?, I didn't found any article that talks o explain this topic.

thanks in advance

Mats

Re: Connect Palo Alto with Azure AD

BPry — Tue, 13 Dec 2016 17:50:08 GMT

It should be the same configuration you just need to feed it the proper address and make sure that your service route or mgmt port can access the Azure server.

Re: Connect Palo Alto with Azure AD

pulukas — Thu, 15 Dec 2016 13:10:06 GMT

The Azure AD product is not a full AD server but a linked authentication device using federated services. The PA AD connector relies on seeing the actual AD log messages so I don't believe this will work with the Azure AD product. In this scenario your better option would be to connect to the company internal AD servers that make the federated connection to Azure AD.

But if you run a virualized AD server in the Azure VM environment you could connect using the normal methods.

Re: Connect Palo Alto with Azure AD

BPry — Thu, 15 Dec 2016 15:35:33 GMT

I always forget that Azure AD is an actual thing; and that it isn't just an AD server hosted on Azure.

Re: Connect Palo Alto with Azure AD

jgrote — Wed, 21 Dec 2016 20:21:28 GMT

Azure AD Domain Services is now GA, so if you're willing to pay for it, you could do LDAP auth against that: https://azure.microsoft.com/en-us/services/active-directory-ds/

But you can't do transparent UserID because you have no "domain controller" to read events from.

Re: Connect Palo Alto with Azure AD

dhuising — Mon, 18 Dec 2017 19:43:35 GMT

Our clients using Azure AD as a service as their primary identity source need the firewall to populate Azure AD user to real (e.g. LAN RFC 1918) mappings. Using captive portal with Azure SAML SSO (as described in the following Microsoft Article) worked best for me.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-paloaltoglobalprotect-tutorial

We are greatful to Palo Alto and Microsoft for including this feature.

Parsing Azure syslogs may not be the best option as they logs the public IP rather than the real IP of the user / device. Therefore we would not be able to differentiate users / devices NATed behind the same public IP.

Re: Connect Palo Alto with Azure AD

pulukas — Tue, 19 Dec 2017 13:13:19 GMT

Thanks for the update, really happy to see this feature added to Azure.

Re: Connect Palo Alto with Azure AD

LarsAtConsigas — Tue, 30 Jun 2020 07:22:31 GMT

We posted a training video explaining how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider to address the SAML Bypass Vulnerability (CVE-2020-2021) starts at 29:35. It shows how to enable "Validate Identity Provider Certificate" and fix the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"