This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

User ID mapping works on DC but not/intermittent on branches for Intune internal users.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User ID mapping works on DC but not/intermittent on branches for Intune internal users.

abhishek.kumar
L0 Member

‎02-12-2026 04:18 AM

Hi All,

We have a PA-1410 at DC (with GlobalProtect) and PA-440/410 at branches.
Microsoft Intune enrolled devices users authenticate via SAML-Azure AD, non-Intune users via LDAP on-prem AD. User-ID is learned on the DC firewall and redistributed to branches using existing redistribution profiles.

Working fine for:

Non-Intune internal/external network users

Intune users from external network (via GP)

Intune users on internal network at DC

Issue:

Intune users on internal network at branch sites do not get User-ID mapping or it is intermittent.

In all cases, DC firewall is learning and redistributing the mappings.

Same design works at DC but not consistently at branches only for Intune internal users.

Has anyone seen this before?

Any pointers or real-world fixes would be really appreciated. 

0 Likes Likes
1 REPLY 1

dora745nevels
L0 Member

‎02-15-2026 09:53 PM

When Intune users are at a branch, their traffic hits the local PA-440/410, but because they authenticate via SAML (Azure AD) rather than local AD, there are no security logs for a local User-ID agent to scrape. If the DC firewall is redistributing mappings based on a GlobalProtect inner-tunnel IP or a specific DC-centric subnet, those mappings won't match the local branch LAN IP of the device.

To fix this, ensure your Redistribution Filter includes the branch IP subnets and verify that the branch firewalls are configured as Log Receivers or have the DC firewall added as a User-ID Agent. Additionally, since Intune devices often use randomized MAC addresses or transition between Wi-Fi/Wired interfaces, consider deploying the Palo Alto GlobalProtect app in "Internal Gateway" mode; this forces the client to report its current internal IP directly to the firewall, bypassing the need for unpredictable log scraping or redistribution lag.

service finance login
0 Likes Likes
  • 30 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks