This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

UserID mapping for users usings Azure VPN Gateway and AzureAD

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UserID mapping for users usings Azure VPN Gateway and AzureAD

JPope_ITG
L0 Member

‎07-21-2025 09:49 AM

Hi All,

 

I have a unique scenario. We have a PA VM Firewall in Azure. We use Azure VPN Gateway to allow users to VPN in if need be (mainly 3rd party support) to get to services on the other side of the FW. The user's credentials authenticate against AzureAD using MFA. I need to know if there is a way to implement UserID, or something similar, that will allow me to set specific policies on which user or group of users has VPNed in using the groups they are in AzureAD.

 

The user accounts are also replicated to on-prem AD, so I don't know if that helps with a solution.

 

Thanks

0 Likes Likes
1 REPLY 1

F.DeMuyter
L1 Bithead

‎07-25-2025 06:18 AM

Hi JPope,

 

There is no native support for you scenario.   Since you are authenticating via the Azure VPN gateway using Azure Point to site , only azure knows the user to ip mapping and palo is not aware of this.  I don't know you Azure landscape but i am assuming you have deployed a hub and spoke topology inside Azure and your palo is inside the HUB.  You could deploy a global protect gateway on your palo alto in Azure and user an Azure Application Gateway or External Loadbalancer to publish the global protect portal/gateway out to the internet.

And then let you remote user use global protect then you will have all the info you need, of course this would require a redesign of your topology.

Another approach is somehow getting the S2SVPN Logs forwarded to your palo alto firewall.   The theortical approach would then be don't see any reason why it won't work but i will take time and effort. 

Azure VPN Gateway
↓  enable (Diagnostic logs)
Log Analytics Workspace
↓ (queried by Azure Function)
Azure Function (Python)

Palo Alto Firewall (User-ID XML API)

 

But in short no easy way of doing this.

 

  • 198 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks