Skip to main content
Unlisted page
This page is unlisted. Search engines will not index it, and only users having a direct link can access it.

Secure GlobalProtect VPN Access using Microsoft Entra ID SSO and Conditional Access

· 2 min read
Mecken Swyter
Mecken Swyter
Author

Traditional environments using Palo Alto GlobalProtect for VPN access have relied on using methods such as usernames and passwords, as well as certificates, to authenticated users. However, in a Zero Trust world, its important to verify explicitly, and assume breach. This is where Microsoft Entra ID comes in - enabling organizations to secure GlobalProtect with Single Sign-On (SSO) and Conditional Access (CA) policies.

Overview

This article will walk you trough the steps necessary to secure Palo Alto GlobalProtect VPN using Microsoft Entra ID to enable SSO and configure CA policies. Along the way, we'll cover topics such as creating an App registration in Entra ID, configuring GlobalProtect to authenticate users against Entra ID, and setting up CA policies to force multi-factor authentication (MFA) as well as require compliant devices before a VPN connection is established. If that sounds like your kind of party 🥳, then let's get started.

Prerequisites

  • Microsoft Entra ID P1 or higher (to configure Conditional Access policies).
  • At least a Cloud Application Administrator role in Entra ID.
  • Palo Alto GlobalProtect: Ensure you have a Palo Alto GlobalProtect VPN setup and running (in this walk through, we'll spin up an instance of a Palo Alto firewall in Azure).

Step 1: Create an App Registration in Entra ID

  1. Navigate to the Microsoft Entra admin center.
  2. Select Applications > Enterprise Applications from the left-hand menu.
  3. Click on + New application.
  4. Search for Palo Alto Networks GlobalProtect and select it.
    GlobalProtect Enterprise App
  5. Click Create to add the application to your tenant.
  6. From Palo Alto Networks - GlobalProtect Enterprise Application, click Single sign-on > SAML.
  7. Under Basic SAML Configuration, click Edit and enter the following values:
    • Sign-on URL: https://<your-firewall-domain>
    • Identifier (Entity ID) > Add identifier: https://<your-firewall-domain>/SAML20/SP
    • Reply URL (Assertion Consumer Service URL) > Add reply URL: https://<your-firewall-domain>/SAML20/SP
    • Click Save.
  8. Download the Federation Metadata XML file from the SAML Certificate section. This file will be used to configure GlobalProtect.
tip

Optionally, restrict access to the application by assigning specific security group to the application. To do this, navigated to Users and groups in the left-hand menu, click Add user/group, select the group you want to assign, and click Assign. For example, assign GlobalProtect users to a specific group, such as vpn-users, to restrict access to only those users.