This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Administrator Login using Azure Groups through Cloud Identity Engine

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Administrator Login using Azure Groups through Cloud Identity Engine

K.Saucier
L1 Bithead

‎06-12-2025 07:51 AM

I seem to be finding conflicting info (or none at all) and everything I've tested so far hasn't worked.  

 

Is it possible to authenticate an Azure user through Cloud Identity Engine and then give them 'administrator' access to Panorama/PanOS based on their Azure group membership without using the Palo Admin-UI Azure Enterprise App?

 

I have CIE working for GlobalProtect login but, when I assign that same Auth Profile to the Device/Setup/Authentication Profile entry, it fails, seemingly because it's not receiving/mapping group info.  I'm not sure if I can add Groups to the claim information in the "Cloud Authentication Service" Enterprise App (no permissions) so I have to run that up the flagpole but want to know what I'm talking about first.

 

I'm trying to avoid having to use the Admin-UI app, if possible, since I already have 2 apps in there for the CIE.  Really seems like this should be possible but it's not obvious, if it is.

 

In the meantime, I thought I could just manually add the users as non-local Administrators using the same Authentication Profile but there is no way (that I see) to enter the full name for the user (domain\user or user@domain.com) as the special characters are invalid.  Since we only have handful of admins and these firewalls are managed by Panorama, I'm fine with just manually creating the users instead of using the group, if that's the easier option.

 

So:

1. Is it possible to use CIE for Admin Role assignment based on Entra groups without using the Admin-UI Enterprise App?

2. If not, is it possible to use CIE users for Administrator login at all without using the Admin-UI Enterprise App?

3. If you have to use the Admin-UI enterprise app, is it possible to use a single app for multiple firewalls (all different public IP's/URLs)?

 

If any of those are true, can someone point me towards a 'for dummies' walk through on set up?  I feel like I've spent most of my week trying to get something pretty simple to work and I'm burnt out at this point.  😄 

 

Thanks!

0 Likes Likes
1 REPLY 1

Brandon_Wertz
L6 Presenter

‎06-12-2025 11:50 AM

@K.Saucier I'm not familiar with what Admin-UI Enterprise App is, can you explain this to me?  We don't use SCM we have a "Panorama Managed" Prisma deployment. 

 

If I understand what you're saying in a normal scenario to log into a FW you need to have the account name (shortname / maybe first.last?) configured as a user and you associate this ID to an auth profile.  

 

Your issue is that using Entra ID it uses a UPN format username@domain.com, and you're saying the FW doesn't like the @domain being in the user name field?

0 Likes Likes
  • 435 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks