Connect Palo Alto with Azure AD

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Connect Palo Alto with Azure AD

L2 Linker

Hi, It's possible make this integration? Is the same configuration like a Windows Server AD?, I didn't found any article that talks o explain this topic.

 

thanks in advance

 

Mats

1 accepted solution

Accepted Solutions

L7 Applicator

The Azure AD product is not a full AD server but a linked authentication device using federated services.  The PA AD connector relies on seeing the actual AD log messages so I don't believe this will work with the Azure AD product.  In this scenario your better option would be to connect to the company internal AD servers that make the federated connection to Azure AD.

 

But if you run a virualized AD server in the Azure VM environment you could connect using the normal methods.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

It should be the same configuration you just need to feed it the proper address and make sure that your service route or mgmt port can access the Azure server. 

L7 Applicator

The Azure AD product is not a full AD server but a linked authentication device using federated services.  The PA AD connector relies on seeing the actual AD log messages so I don't believe this will work with the Azure AD product.  In this scenario your better option would be to connect to the company internal AD servers that make the federated connection to Azure AD.

 

But if you run a virualized AD server in the Azure VM environment you could connect using the normal methods.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I always forget that Azure AD is an actual thing; and that it isn't just an AD server hosted on Azure.

Azure AD Domain Services is now GA, so if you're willing to pay for it, you could do LDAP auth against that: https://azure.microsoft.com/en-us/services/active-directory-ds/

 

But you can't do transparent UserID because you have no "domain controller" to read events from.

L0 Member

Our clients using Azure AD as a service as their primary identity source need the firewall to populate Azure AD user to real (e.g. LAN RFC 1918) mappings. Using captive portal with Azure SAML SSO (as described in the following Microsoft Article) worked best for me. 

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-paloaltoglobalprotect-...

 

We are greatful to Palo Alto and Microsoft for including this feature.

 

Parsing Azure syslogs may not be the best option as they logs the public IP rather than the real IP of the user / device. Therefore we would not be able to differentiate users / devices NATed behind the same public IP.

 

 

Thanks for the update, really happy to see this feature added to Azure.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L3 Networker

We posted a training video explaining how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider to address the SAML Bypass Vulnerability (CVE-2020-2021) starts at 29:35. It shows how to enable "Validate Identity Provider Certificate" and fix the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"

  • 1 accepted solution
  • 11311 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!