Showing results for 
Search instead for 
Did you mean: 

Cisco AnyConnect - M365 authentication possibilities


Would like to request information on the integration possibilities of AnyConnect with Microsoft 365 user authentication.

So far it looks like it is possible via SAML, just want to make sure we're not missing anything.



1 Accepted Solution
6 Replies 6

AnyConnect NAM client 802.1X authentication to ISE?  AnyConnect VPN to ASA/FTD?  AzureAD/ADFS?  

Marvin Rhoads
Hall of Fame
Hall of Fame

The AnyConnect VPN client can authenticate to Azure AD via SAML. You can also incorporate Microsoft Authenticator MFA in this scenario.

You can also run a hybrid solution using Microsoft NPS on premises with the Azure plug-in and use Microsoft MFA that way.

Thirdly you could use Duo SSO integrated with Azure AD.

I'm also just learning about the M365/AzureAD (AAD) capabilities, but hopefully, we will find something together.


In our PoC environment, we have proven that AnyConnect with the external browser could authenticate straight away against AAD using SAML, but this is where the next challenge comes: if at all possible, we would like to use a single sign-on experience on the AzureAD joined devices, namely we would like skip the re-authentication (username+password) of the user and just prompt for multi-factor authentication before the user would be allowed to bring up the VPN.


Cisco provides the AnyConnect app in AzureAD, I wonder if there is any associated documentation on the topic, particularly on the SSO side.

Form memory, when you configure the SAML iDP from FMC there is an option to check the box to not require reauthentication. HAve you tried that?

From SAML authentication's perspective Azure AD is an Identity Provider (IdP), just like ADFS, DUO, etc.


What we want to do is the best possible integration between AnyConnect and Azure AD, where the user can establish the VPN connection with the least amount of interactions, still with the best security.


We're trying to achieve that AnyConnect authenticates the user based on the Windows session against AzureAD (so there's no new username and password requested after the user logged in Windows) and gets connected after a single MFA approval.


MFA is still requested to make sure that if someone tries to connect from a stolen laptop even with a leaked username/password, connection to corporate resources would not be possible.


any Ideas?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: