Connect Palo Alto with Azure AD

L2 Linker

Connect Palo Alto with Azure AD

Hi, It's possible make this integration? Is the same configuration like a Windows Server AD?, I didn't found any article that talks o explain this topic.

 

thanks in advance

 

Mats

L7 Applicator

Re: Connect Palo Alto with Azure AD

It should be the same configuration you just need to feed it the proper address and make sure that your service route or mgmt port can access the Azure server. 

L7 Applicator

Re: Connect Palo Alto with Azure AD

The Azure AD product is not a full AD server but a linked authentication device using federated services.  The PA AD connector relies on seeing the actual AD log messages so I don't believe this will work with the Azure AD product.  In this scenario your better option would be to connect to the company internal AD servers that make the federated connection to Azure AD.

 

But if you run a virualized AD server in the Azure VM environment you could connect using the normal methods.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L7 Applicator

Re: Connect Palo Alto with Azure AD

I always forget that Azure AD is an actual thing; and that it isn't just an AD server hosted on Azure.

L1 Bithead

Re: Connect Palo Alto with Azure AD

Azure AD Domain Services is now GA, so if you're willing to pay for it, you could do LDAP auth against that: https://azure.microsoft.com/en-us/services/active-directory-ds/

 

But you can't do transparent UserID because you have no "domain controller" to read events from.

Highlighted
L0 Member

Re: Connect Palo Alto with Azure AD

Our clients using Azure AD as a service as their primary identity source need the firewall to populate Azure AD user to real (e.g. LAN RFC 1918) mappings. Using captive portal with Azure SAML SSO (as described in the following Microsoft Article) worked best for me. 

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-paloaltoglobalprotect-...

 

We are greatful to Palo Alto and Microsoft for including this feature.

 

Parsing Azure syslogs may not be the best option as they logs the public IP rather than the real IP of the user / device. Therefore we would not be able to differentiate users / devices NATed behind the same public IP.

 

 

Tags (1)
L7 Applicator

Re: Connect Palo Alto with Azure AD

Thanks for the update, really happy to see this feature added to Azure.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!