https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/299945#M78433 <P>We noticed that the authentication profile can also get a value for the user group. But reading the documentation, we found that PaloAlto only uses this to match authenticating users against Allow List entries and not for policies or reports.</P><P>&nbsp;</P><P>The only thing missing is that PaloAlto allow the use of the user group that can be pass by AzureAD on Policies.</P><P>&nbsp;</P> Thu, 21 Nov 2019 11:34:17 GMT Marcaria-Infrastructure 2019-11-21T11:34:17Z https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/248605#M70718 <P>Hi all,</P><P>&nbsp;</P><P>I've setup SAML SSO based authentication to global protect with Azure Active Directory. I'm wondering if i can take this a step further by using internal global protect gateways and using global protect for USER-ID?&nbsp;</P><P>&nbsp;</P><P>If i did this, how would i go about setting up user based policies on the palo? effectively allowing me to allow/deny traffic based off Azure Active directory user or group?</P><P>&nbsp;</P><P>Apologies if i've missed something obvous within the documentation.&nbsp;</P><P>&nbsp;</P><P>cheers</P><P>&nbsp;</P><P>Tom</P> Sat, 02 Feb 2019 19:37:03 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/248605#M70718 TomDow 2019-02-02T19:37:03Z https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/255249#M72433 <P>My environment is already on Azure-AD and I have no on prem AD.&nbsp; There is no intent to add on premise devices if it can be avoided.<BR />&nbsp;I too was wondering if I set up the SAML connection and the Palo Alto application in O365 for firewall auth and global protect VPNs if it also encapsulated User-ID if we use global protect agents internally.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Mar 2019 11:17:21 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/255249#M72433 Medisked 2019-03-28T11:17:21Z https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/255284#M72446 <P>Hi Medisked,</P><P>&nbsp;</P><P>I ended up raising this as a Palo Alto support ticket.&nbsp;</P><P>&nbsp;</P><P>However i think your question is slightly different to mine. When you setup a global protect agent- this agent does send USER-ID information to the firewall. You can see this by simply looking at the Monitor tab and you'll see the username against the traffic that user has created.&nbsp;</P><P>&nbsp;</P><P>However what Palo Alto have confirmed is that the Group mapping settings can only be LDAP. Therefore if you have no DCs at all and your directory service is only Azure AD- there is no way to set policies within the firewall to say "user X can only go to resource Y".&nbsp;</P> Thu, 28 Mar 2019 16:52:33 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/255284#M72446 TomDow 2019-03-28T16:52:33Z https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/299945#M78433 <P>We noticed that the authentication profile can also get a value for the user group. But reading the documentation, we found that PaloAlto only uses this to match authenticating users against Allow List entries and not for policies or reports.</P><P>&nbsp;</P><P>The only thing missing is that PaloAlto allow the use of the user group that can be pass by AzureAD on Policies.</P><P>&nbsp;</P> Thu, 21 Nov 2019 11:34:17 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-using-internal-global-protect-and-azure-active-directory/m-p/299945#M78433 Marcaria-Infrastructure 2019-11-21T11:34:17Z