This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Configure VPN GP wit Microsoft Authenticator

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configure VPN GP wit Microsoft Authenticator

BigPalo
L4 Transporter

‎02-06-2026 01:45 AM

Hi,

i would like to configure my VPN using MAuthenticator. Anyone has a guide for this?

 

i was checking this link but im not sure if this config should be used if you have EntraID AD in the cloud or not:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/palo-alto-networks-globalprotect-tutorial

 

We have AD in server onpremise.

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite

‎02-06-2026 02:49 PM

@BigPalo,

So with on-premise AD without Entra setup at all you don't want to follow these instructions. You would want to setup GlobalProtect from the sounds of it with an TOTP capable app and what your instructions are trying to do is establish Entra as a SAML provider. 

 

Unfortunately there's not a super straightforward way to accomplish this. I know that you used to be able to do this for free with a combination of FreeRADIUS and it's PAM module and that it worked well. Whether that's still actively being supported and maintained or not I don't have any recent experience with. 

 

https://networkjutsu.com/freeradius-google-authenticator/

0 Likes Likes

TomYoung
Cyber Elite

‎02-07-2026 04:41 PM

Hi @BigPalo ,

 

I have setup GP with Entra ID with MFA using those instructions.  I have also set it up for customers.  There is one error that needs to be corrected.  Two of the URLs need to have the :443 as identified in red in this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

zeldabrady98
L0 Member

‎02-12-2026 09:13 PM

The Microsoft Learn article you referenced—“Tutorial: Azure AD integration with Palo Alto Networks GlobalProtect”—is specifically designed for cloud-only or hybrid identity environments using Microsoft Entra ID (formerly Azure Active Directory) as the identity provider (IdP) for SAML-based authentication to GlobalProtect.
 
Since you mentioned that your organization uses on-premises Active Directory (AD) and did not indicate a cloud-based Entra ID setup (e.g., no synchronization via Azure AD Connect or cloud-only users), this guide may not be directly applicable unless you have already configured federation between your on-premises AD and Entra ID (e.g., using AD FS or another SAML IdP integrated with Entra ID).

Key Considerations:

  1. Authentication Architecture:
    • If your VPN (e.g., Palo Alto Global Protect) authenticates users directly against on-premises AD (via LDAP, RADIUS, or Kerberos), then Microsoft Authenticator (or Authenticator) would typically not be involved unless you layer Multi-Factor Authentication (MFA) on top.
    • To use Microsoft Authenticator for MFA, you generally need Microsoft Entra ID (with P1/P2 licenses) or Azure MFA Server (now deprecated). Since Azure MFA Server is retired, modern deployments rely on Entra ID-based MFA.
  2. On-Premises AD + MFA Options:
    • If you wish to keep authentication on premises but still use Microsoft Authenticator for MFA, you have two main paths:
      • Option A: Deploy Active Directory Federation Services (AD FS) on-premises and integrate it with Entra ID (hybrid identity). Then configure GlobalProtect to use Entra ID (via SAML) as the IdP, which triggers MFA via Microsoft Authenticator.
      • Option B: Use RADIUS with Network Policy Server (NPS) extended by the Azure MFA NPS extension. This allows on-premises RADIUS clients (like firewalls) to trigger MFA challenges via Microsoft Authenticator through Entra ID, while primary authentication remains against on-prem AD.
  3. Relevant Documentation:

Recommendation:

  • If you do not currently use Entra ID and authenticate solely against on-prem AD, the linked tutorial is not suitable as-is.
  • To leverage Microsoft Authenticator, you will need to integrate your on-prem AD with Entra ID (typically via Azure AD Connect) and enable Entra ID MFA.
  • Once that foundation is in place, you can choose either the SAML (cloud-first) or RADIUS/NPS (on-prem-first) approach based on your network architecture and security policies.
https://www.prephow.com
0 Likes Likes
  • 650 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks