Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
1
Helpful
2
Replies

Umbrella integration with Azure AD and without VAs

Go to solution
Madura Malwatte
Level 4
Level 4

‎01-22-2024 03:53 PM

Hi Team, my customer wants to deploy Umbrella in Azure and connect to their Azure AD without deploying VAs. Is this possible?

Reading the documentation, its seems its not possible to use the connector into Azure AD without VAs? Is this true? https://docs.umbrella.com/deployment-umbrella/docs/connect-active-directory-to-umbrella-1

Customer is quite averse to deploying and maintaining any appliances (i.e the VAs) and want strictly SaaS solution.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-22-2024 04:27 PM - edited ‎01-22-2024 04:33 PM

Hi Madura, 

You can integrate with Azure AD directly for the provisioning of users and Groups. User and group identities from Azure AD integrate with Umbrella DNS-layer security and Umbrella Secure Web Gateway (SWG) deployments. You do not need to deploy an on-premises Umbrella Active Directory Connector.

Umbrella DNS

  • Enables user identity support for the Umbrella roaming client and AnyConnect Roaming Security module.

Umbrella SWG

  • Enables user identity support for the AnyConnect SWG module.
  • Provisions user and group identities for use with end-user SAML authentication.

Note: Azure AD does not store the private IP to AD user mappings. 

So without VA, for unmanaged endpoints ( without agents ), you will not get visibility of internal IP Address. 

Reference: https://docs.umbrella.com/umbrella-user-guide/docs/microsoft-azure-ad-integration

 

View solution in original post

2 Replies 2

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-22-2024 04:27 PM - edited ‎01-22-2024 04:33 PM

Hi Madura, 

You can integrate with Azure AD directly for the provisioning of users and Groups. User and group identities from Azure AD integrate with Umbrella DNS-layer security and Umbrella Secure Web Gateway (SWG) deployments. You do not need to deploy an on-premises Umbrella Active Directory Connector.

Umbrella DNS

  • Enables user identity support for the Umbrella roaming client and AnyConnect Roaming Security module.

Umbrella SWG

  • Enables user identity support for the AnyConnect SWG module.
  • Provisions user and group identities for use with end-user SAML authentication.

Note: Azure AD does not store the private IP to AD user mappings. 

So without VA, for unmanaged endpoints ( without agents ), you will not get visibility of internal IP Address. 

Reference: https://docs.umbrella.com/umbrella-user-guide/docs/microsoft-azure-ad-integration

 

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to Muhammad Awais Khan

‎01-23-2024 09:02 AM

Just to add more context.

Above scenario is applicable where you have endpoints with Secure Client ( Anyconnect ) Umbrella Roaming module. In your scenario, where you dont have VA or do not want to have VA then Secure Client can provide Identity support for the end points on/off the network. 

https://docs.umbrella.com/deployment-umbrella/docs/identity-support-for-the-roaming-client

 

0 Helpful
Customers Also Viewed These Support Documents