This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

AZURE Entra MFA for admin access via CLI

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AZURE Entra MFA for admin access via CLI

Carleton
L3 Networker

‎05-22-2025 08:16 AM

We are easily able to setup MFA for the Web UI for the management port vial SAML and Entra SAML auth. We have run into some challenges I was surprised exist. First here are the requirements and goals

  • PA VM series firewalls in  AZURE.
  • No On prem AD, ISE or Kerberos dependencies. Our goal it to be 10)% clouds based.
  • MFA to manage the PA for both web UI and CLI.

 Problem

  • We have not been able to find a way to leverage SAML or other MS Entra solutions to lock down the Managment port access for both WEBV and CLI, SAML Auth only works with the web UI. Every other solution we have found involves buying a one off solution Just for the PA - unacceptable.
  • Second the built-in admin account can't be disabled or MFA forced to use the account. I cant believe the main supersuser account cant be locked down or disabled.
0 Likes Likes
2 REPLIES 2

TomYoung
Cyber Elite
Cyber Elite

‎05-22-2025 12:48 PM - edited ‎05-27-2025 06:32 AM

Hi @Carleton ,

 

I don't know why PANW does not allow SAML for CLI access.  https://docs.paloaltonetworks.com/compatibility-matrix/reference/mfa-vendor-support

 

You could do MFA with a local NPS server pointed to Entra.  That is not 3rd party but it does require a local server.  https://learn.microsoft.com/en-us/entra/architecture/auth-radius

 

I have not tested it, but this person has found a way to not allow the local account to work if RADIUS is up.  https://live.paloaltonetworks.com/t5/general-topics/local-authentication-should-not-work-if-when-rad...  EDIT2:  @reaper may have a simpler way -> https://live.paloaltonetworks.com/t5/next-generation-firewall/to-force-ngfw-login-using-saml-sso/td-....

 

However, you cannot use SAML in an authentication sequence.  Again, RADIUS to NPS would solve that problem.

 

I think you have valid points.  The solution would be to ask your PANW SE to create feature requests.  I don't think the business units look at this forum for ideas.

 

Thanks,

 

Tom

 

EDIT:  The RADIUS users may have to log onto the GUI 1st before the CLI will work.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3qCAC

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎06-02-2025 06:08 AM

I think @TomYoung provided you with some good pointers regarding the SAML auth, but i'm wondering about your second question

 

are you logged in as the 'admin' account when you try to change it?

unless you set the admin account up in a bootstrap and are rebooting the vm all the time and calling the bootstrap to rebuild the admin account, the default "admin" account is not locked. You can delete it, rename it, change it any way you like if you first create and log in as a different superuser

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 283 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks