Cisco ISE 3.5 Entra ID Authorization Problem

andrianusfranky · ‎11-06-2025

I have a PoC in my customer for Cisco ISE integration with Entra ID and currently I test it first on my lab.
My customer only has Entra ID for the IDP and no on-prem AD.
I use EAP-TLS and using ISE Certificate Provisioning Portal to generate endpoint cert.
From the live log, I see that Authentication Result have passed but it failed due to Rejected per authorization profile.
What step do I miss here?
Thank you

Aref Alsouqi · ‎11-06-2025

It's interesting to see that on the live log it says authentication failed when the authentication has actually passed. Have you tried to remove the authentication status condition from the authorization rule and see if that makes any difference? also, please check this link which has bunch of helpful details:

Cisco ISE with Microsoft Active Directory, Entra ID, and Intune - Cisco Community

andrianusfranky · ‎11-06-2025

Hi Aref,
Thanks for your reply. Yes, I've tried delete authentication status condition from authorization rule, and it still the same.
And I also following your documentation before, basically what I do just match the CN against Entra External Group.
And the results just like you've seen in the picture attached.
I've check and make sure from the Entra config, and all according to documentation.

MSJ1 · ‎11-10-2025

Hello

Andre-Teixeira · ‎11-14-2025

I'm having the same problem. It seems the authentication flow between ISE and Entra ID isn't working. No matter what permission settings you configure; does anyone have a solution or fix for this?

MSJ1 · ‎11-14-2025

@Andre-Teixeira Hello at which section of the policy it is blocking ? Is it at the Authentication or for the Authorization ? What error you see ? Share the error log / code.

I assume you completed the Entra ID Integration with ISE as External Identity Sources. Did you Import the Device or User Group already ? Is your cert DN matches the regex entry ?

No matter what permission settings you configure -- which permission you are referring ?

Elaborate a bit more on your problem

Andre-Teixeira · ‎11-21-2025

Hello! I followed this link/guide:
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

We checked all the permissions for the Entra ID, ISE policies, and nothing. The documentation advises disabling Microsoft MFA, otherwise it doesn't work. We did this and the error persists. The REST within ISE is communicating normally with the tenant and the Entra ID app registration. We checked everything related to certificates; we inserted the certificate within the Entra ID app registration, issued a new certificate and a new chain, and imported it into ISE. We don't believe the problem is with certificates, because if I try to authenticate using a local Active Directory, for example: some domain user, it works with a different authentication policy and a different authorization policy.

Error code: 5400 Authentication failed
Failure Reason 12976 EAP-TTLS authentication failed

MSJ1 · ‎11-21-2025

During REST ID Integration it only works with Client Secret - Cert Option is not available in ISE side.

MSJ1 · ‎11-21-2025

@Andre-Teixeira - What is your Microsoft Entra ID License Type p1 , p2 ? and what's the attribute you are using as part of Authz ?

I know you are facing issue AuthC. Can you also share the Cert Auth Profile settings ?

Mafra · ‎11-21-2025

Hi!

@andrianusfranky

I had a similar problem and was able to fix it. I was about to make a post talking about my issue.

I was able to authenticate but when trying to use groups as conditions no groups matched and the authz was getting the default.

In my case the problem was with the attributes ISE use from Azure.

My problem was with the "deviceEnrollmentLimit" attribute, if I configure ISE to use this attribute and make authz profiles using groups as conditions it never matched.

Try to mess with the attributes, if you have "deviceEnrollmentLimit" added try to take it off from the attribute list and see if this fiz your problem

At the REST ID Store i went to "User Attributes" and removed the "deviceEnrollmentLimit":

Logs showing the error I got when attributes were fetched for the user:

Andre-Teixeira · ‎11-21-2025

I did that and I'm still having the same problem. Could you please share your APP Registration permissions? All of them. Maybe that will help me. Thank you very much for the information shared so far.

MSJ1 · ‎11-21-2025

@Andre-Teixeira Quick question - do you have the Group.Memership read permission on Azure for the Entra ID App ?

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

User Lookup API Permissions

To perform the User attribute and group membership lookups against EntraID, the following API Permissions must be granted in the Entra ID App Registration:

User.Read.All (Application)
GroupMember.Read.All (Application)

Andre-Teixeira · ‎11-21-2025

Thank you very much, but no success. I'm still getting the error log from my first attach login_failure_log_ise_entra_ID.png.
The error "AADSTS50034"...

Mafra · ‎11-21-2025

Did you enable the debug for "rest-id-store"?

I think you will have a better ideia what the problem is if you enable it and check on the CLI while the client tries to authenticate.

CLI command after enable the debug:

show logging application ropc/rest-id-store.log

Andre-Teixeira · ‎11-21-2025

Yes, I did. Same error message. Which version of Cisco ISE are you using?