- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-23-2025 07:26 AM - edited 09-23-2025 07:56 AM
We are migrating onpremise AD to AZUREAD. The doubt is that these users going to AzureAD and all the info (source name and group belong) can not be retrieved by the FW (as UIA did on premise mode). So how can get the info (users/groups) from AzureAD to configure policy source groups in Palo Alto? We doesnt have any SAML IdP configured in Palo Alto.
09-23-2025 01:57 PM
Hi @BigPalo ,
CIE can get you the user-to-group mappings. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-e...
You would need another method to get user-to-IP mappings such as GlobalProtect with Internal Host Detection, Authentication Portal, integration with network login server, etc. https://docs.paloaltonetworks.com/ngfw/administration/user-id/user-id-overview (Scroll down to picture.)
Thanks,
Tom
09-24-2025 04:54 AM - edited 09-24-2025 05:52 AM
I found this nice link to configure the CIE. I will follow it to get the LDAP directory.
Related to mappings users/IP. What it would be the less impact way to do it for users which only authenticate in ENTRAID?
i understand GP will cause users instaling clients so its discarded. So what would be a good and no t intrusive method for users?
thanks
09-25-2025 07:09 AM
Kind of two different ways to do this that are going to do essentially the same thing. You could enforce GlobalProtect for network access and use an internal gateway to tie the authentication to Entra ID through SAML SSO, or you utilize an authentication portal with SAML SSO to Entra ID to do effectively the same thing just through the browser solely itself.
The reason I personally don't love just using an authentication policy and the authentication portal is that a user only using apps like Slack, Webex, or Teams won't actually immediately be redirected to the portal. It works fine if your users live in a browser all day, but GlobalProtect is the most straightforward solution in this case. It's a good stop-gap if we're talking about personal machines here, but if these are company owned endpoints just push the agent through Intune and be done with it would be my suggestion.
09-25-2025 08:12 AM
Hi @BigPalo ,
As @BPry said, GlobalProtect is going to be one of the most effective solutions. There are other options depending upon your environment. For example, in my company everyone has to log into the network (802.1x) whether it is wired or wireless. So, I have their identity in my RADIUS server. I forward the authentication logs to a firewall, then I redistribute them to the other firewalls. That works very well for me. Please also take a look at the User-ID Overview URL I posted above. One of those solutions could work in your environment.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!