- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
using Azure MFA with Global Protect
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Re: using Azure MFA with Global Protect
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-24-2018 10:50 AM
Hello,
To configure Global Protect to use our already Existing MS MFA server, I followed this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkkCAC
I think I had to do one or two extra things as well, but in any case it's working. However, it only prompts for the second factor if after I disconnect the Global Protect client, I go to Settings and click Sign Out. If I don't sign out, when I reconnect, I am not prompted for the second factor. Is this on some kind of timer or something? I tried putting the machine to sleep, logging out, and rebooting it but none of those things caused it to prompt. Is there a way to get it to require the second factor every time I reconnect?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-17-2020 01:40 PM
@minow
I believe that I have found a solution to the Azure not wanted to re-auth users. Within Azure, we had to create conditional access that has session access control. In this section of the conditional access, we selected Sign-in frequency and set this to 1 hour. (Lowest amount of time we could select). Now it seems to be requiring our users to re-auth every hour if they have disconnected. It is my understanding that this won't cause re-auths to users who are still connected, just users who disconnect and then reconnect.
Hope this helps. We have cert authentication as well as Azure with Duo MFA.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-18-2020 08:06 PM
Thanks for sharing the info.
Are you using global protect always on method?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-17-2020 11:41 AM
We initially were not using the always on. We were just using the on demand.
I have recently setup and tested the Always on. It works like a charm. Is there something that you are having issues with in particular?
Sorry I missed this comment over the summer.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-17-2020 12:19 PM - edited 12-17-2020 12:20 PM
I found another way to do it..... under: Device --> Authentication profile --> enter azure profile --> under Authentication tab --> check the option "Enable Single Logout"
this will do the work for logout global protect and azure at the same time
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-17-2020 12:23 PM
Good to know. Thanks for posting that information.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-17-2021 04:20 PM
Hi,
I am trying to get this conditional policy setup to work with the Palo Alto GlobalProtect enterprise app. For some reason O365 is not letting me create it - it hangs. Would you mind sharing your settings with us?
Thanks
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-28-2022 02:22 AM
Hi, thanks for your share, but after testing this i have a question :
- When the user disconnect globalprotect and reconnect it's ok. Connection with MFA is re ask..
- When the shutdown the pc without disconnect globalprotect, after the reboot it can connection globalprotect automatically.. (No password ot MFA is asking..)
Do you have the same thing ? Have find a solution ?
Thanks,
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-28-2022 04:36 AM
Yes, I have the same thing. The best that I have found is setting 60 minutes to re-require an authentication. After 60 minutes of their initial authorization, it will require a password and MFA again.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-28-2022 07:10 AM
To do that tou have configure a conditional access rule in Azure ?
I've done a condictionnal rule and it's works !!
Too bad I would have preferred a disconnection to closing the post and sending a logout request.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-28-2022 07:18 AM
- Can Cortex XDR proactively log Global Protect client debug? in Cortex XDR Discussions
- Global Protect in Abu Dhabi in GlobalProtect Discussions
- Global protect enforcer and public wifi captive portal in General Topics
- Global Protect Gateway Priority Question in GlobalProtect Discussions
- Azure AD Identity Protection Integration custom filter in Cortex XSOAR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
