Captive Portal w/2FA in Azure

Showing results for 
Search instead for 
Did you mean: 

Captive Portal w/2FA in Azure

L4 Transporter

Hi All -

Hopefully I make this clear.  


What I'm looking to do is set up Captive Portal with a push notification in Azure AD.  I can't seem to find any documentation around this, can someone give me the general steps or point me to existing documentation?


Thanks in advance. 


Hi Robert,


Glad to know that document still applies.  I did skip step 3 and was thinking hmm... maybe this isn't possible.   Still getting the error, but I have two tickets in with support and hopefully at least one of them can help me figure that out.


Thanks to your help, I finally got the GlobalProtect Protected Resource message to pop up that I've been trying to trigger.  I have a couple of test auth rules. 


The one i triggered the GlobalProtect message was for RDP session to specific host. When I try to connect I get "An internal error has occurred" Remote Desktop Connection dialog box.  Then the GlobalProtect message that has the authentication button which takes me to captive portal in browser window and i get the AADSTS700016 message (which I expect at this point).   


Question for you:  Are you using this to control RDP sessions?  The "An internal error has occurred" has me concerned that it may not work if the session times out before it can authenticate.


Another question:  How do you get https to trigger authentication, do you have to have ssl decryption in place?


I greatly appreciate your help!



Hey -

Sorry it took me so long to respond.  We are doing it for RDP, but it's kind of a hokey process.  If I try to RDP to a box that would have me crossing the CP, I also get the "An internal error has occurred", but I also get the GlobalProtect "Protected Resource" "Authenticate" popup (see screenshot).  I click on Authenticate and that takes me to the Captive Portal where I authenticate.  From there I go back to RDP and login again and it works because I am now authenticated via the CP.


It's hokey, but it makes sense in my head.  I can't RDP to a box that I need to authenticate via captive portal to first.  After that I can RDP to it without authenticating again for like two hours (I believe there is a timeout setting).




Don't know if this will help or not, but here is my Azure setup:



I think what's important to note here is the port addition: 

Entity ID: 


Reply URL: 


Hope that helps.

Hi Robert,

That is good to know that you see the same behavior, but it works.   I was seeing the exact error, getting the Protected Resource message and then clicked authenticate.  I think last I tried it I still had the Azure error, so I don't think I was authenticating.   We resolved the Azure error just before I went on vacation, but have been unable to do further testing since.  Thank you so much for confirming that you are able to do the RDP.


Sites that are https:  do they work for you with captive portal?  we don't have ssl decryption in place, so I'm wondering if that is the cause.  The block-continue response pages don't show up for us for https sites but they do for http, which i think is due to us not having ssl decryption in place.  I have read that if you have decryption you need to do ssl decryption forward proxy for it to work.  I'm just wondering if you had problems with https sites.   I'm just wondering what your experience has been with https sites.


Thank you so much for your help!


Thank you again Robert,


You are amazing!   I think we got the Azure error resolved before i went on vacation, but this will be great to compare a working config with what we have. 


Latest question that came up: Since the GlobalProtect client does enforcement for non-http/https traffic, what happens if a computer don't have the GlobalProtect Client or it is disabled?   We want to make sure that the resources are still protected.


Thank you so much,


Hey Chris -

Awesome!  I'm glad to hear you are making good strides.  I'll hit you up on the side to compare working configs.


I'll have to think about the enforcement for non-http/https traffic.  Since we mainly use for RDP access I haven't given it much thought.  I could easily be wrong here (TBH, I'm really a noob at this), but what we protect with the setup you and I both have is "on the network".  That being said, I would think that if a computer doesn't have the GlobalProtect Client or it is disabled you wouldn't be "on the network" and as such wouldn't be able to access those things.  If that makes sense.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!