Using Authentication Policy and GlobalProtect with AAD SAML to prompt MFA authentication for Admin access to resources

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using Authentication Policy and GlobalProtect with AAD SAML to prompt MFA authentication for Admin access to resources

L1 Bithead

We have new requirements to require MFA for administrative access to just about everything and have to put into place in very short order.


“In addition to remote access, multi-factor authentication is required for the following, including such access provided to 3rd party service providers:

1 All internal & remote admin access to directory services (active directory, LDAP, etc.).

2 All internal & remote admin access to network backup environments.

3 All internal & remote admin access to network infrastructure (firewalls, routers, switches, etc.).

4 All internal & remote admin access to the organization’s endpoints/servers."



What I'm trying to do is described pretty well in the document linked below: try to access something, get prompted.  Trying to do this with Azure AD.   From what I understand, browser based applications can be done with captive portal and non browser based can be done with GlobalProtect app.  Is that right?  Trying to leverage our existing Azure MFA.

Configure GlobalProtect to Facilitate Multi-Factor Authenti... (





Cyber Elite
Cyber Elite



Looking at this info:



If a user session matches the Authentication policy, the type of application or service determines the user experience for notifications about the authentication challenge:


  • (
    Windows or macOS endpoints only
    Non-browser-based applications
    —To facilitate MFA notifications for non-HTTP applications (such as Perforce) on Windows or macOS endpoints, a GlobalProtect app is required. When a session matches an Authentication policy rule, the firewall sends a UDP notification to the GlobalProtect app with an embedded URL link to the Authentication Portal page. The GlobalProtect app then displays this message as a pop up notification to the user.



Help the community: Like helpful comments and mark solutions

Thank you for your reply, Steve!  Stood up a GlobalProtect gateway.  Got MFA auth for establishing GP connection, but still trying to get challenged for authentication based on authentication policy.   Initially thought http and https was captive/authentication portal, but after read reading documents and in particular the passage you mentioned it referred to the authentication portal, which I'm now trying to stand up.


Should captive/authentication portal go on internal interface?  I was planning on putting Internal GP gateway and thought that was going to go on internal interface, but maybe I need loopbacks or something so there is no conflict.  Looking for best practices.


When I get Captive/Authentication Portal configured, i'll use whatever IP or dns address configure there and pair it up with the instructions here:  Tutorial: Azure Active Directory integration with Palo Alto Networks Captive Portal | Microsoft Docs


Hopefully I'm on the right track.  Thoughts?







  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!