Global Protect with AzureAD authentication

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect with AzureAD authentication

L3 Networker



Currently, we have ou GP configured to use our local Active Directory for authentication.


Is easy to configure GP to use AzureAD authentication and to use Microsoft MFA ?





Cyber Elite
Cyber Elite



in azure you can create an enterprise application, look for "palo alto networks - globalprotect"

go through the steps to enable SSO


the only caveat is that you need to craft your identifier and reply url to contain :443



Basic SAML Configuration
Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Sign on URL


export the federation metadata xml and import that into the palo as a SAML server profile



Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you.


How I can configure GP to force user to enter AzureAD crendentials and not automatically authenticated on GP when I start the GP application ?



I configured the SAML and it's seem to be working but, when I used internal LDAP to authenticate on GP client, I need always enter my credentials but when I switch to the SAML auth, when I start the GP client, I'm directly connected without to enter credentials...

I have dug into this before and my conclusion is that you can not force reauthentication when using AzureAD SAML with GlobalProtect.


If the user has already signed in to AzureAD then Single-Sign-On principles will take effect.  Authentication will be completed using a cookie in the browser in a simple case.  If it is a Windows device that is AzureAD Joined or Hybrid AzureAD Joined then the Primary Refresh Token (PRT) will be used.  There are more potential methods depending on OS and settings.


You might be able to use Sign-In-Frequency (SIF) in AzureAD Conditional Access, but if the device is joined to AzureAD then it probably won't work how you expect.


AzureAD does support a parameter called ForceAuthN which states

> If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Microsoft Entra ID

However, I do not see any way to tell PaloAlto to use this parameter.  I've been considering making a feature request to PaloAlto to allow this parameter to be set.  I've found threads where people use it with Checkpoint and Meraki VPNs.


I have some saved links that may help you


  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!