12-13-2016 07:32 AM
Hi, It's possible make this integration? Is the same configuration like a Windows Server AD?, I didn't found any article that talks o explain this topic.
thanks in advance
Mats
12-15-2016 05:10 AM
The Azure AD product is not a full AD server but a linked authentication device using federated services. The PA AD connector relies on seeing the actual AD log messages so I don't believe this will work with the Azure AD product. In this scenario your better option would be to connect to the company internal AD servers that make the federated connection to Azure AD.
But if you run a virualized AD server in the Azure VM environment you could connect using the normal methods.
12-13-2016 09:50 AM
It should be the same configuration you just need to feed it the proper address and make sure that your service route or mgmt port can access the Azure server.
12-15-2016 05:10 AM
The Azure AD product is not a full AD server but a linked authentication device using federated services. The PA AD connector relies on seeing the actual AD log messages so I don't believe this will work with the Azure AD product. In this scenario your better option would be to connect to the company internal AD servers that make the federated connection to Azure AD.
But if you run a virualized AD server in the Azure VM environment you could connect using the normal methods.
12-15-2016 07:35 AM
I always forget that Azure AD is an actual thing; and that it isn't just an AD server hosted on Azure.
12-21-2016 12:21 PM
Azure AD Domain Services is now GA, so if you're willing to pay for it, you could do LDAP auth against that: https://azure.microsoft.com/en-us/services/active-directory-ds/
But you can't do transparent UserID because you have no "domain controller" to read events from.
12-18-2017 10:19 AM - edited 12-18-2017 11:43 AM
Our clients using Azure AD as a service as their primary identity source need the firewall to populate Azure AD user to real (e.g. LAN RFC 1918) mappings. Using captive portal with Azure SAML SSO (as described in the following Microsoft Article) worked best for me.
We are greatful to Palo Alto and Microsoft for including this feature.
Parsing Azure syslogs may not be the best option as they logs the public IP rather than the real IP of the user / device. Therefore we would not be able to differentiate users / devices NATed behind the same public IP.
12-19-2017 05:13 AM
Thanks for the update, really happy to see this feature added to Azure.
06-30-2020 12:22 AM
We posted a training video explaining how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider to address the SAML Bypass Vulnerability (CVE-2020-2021) starts at 29:35. It shows how to enable "Validate Identity Provider Certificate" and fix the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
