Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1844
Views
2
Helpful
6
Replies

ISE Join with Azure AD Directory Services

Go to solution
packet2020
Level 1
Level 1

‎02-24-2023 12:30 PM

Hi All,

I am currently looking at options to integrate ISE with Azure AD. From my basic understanding, Azure AD Domain Services supports traditional join operations to support legacy services. If we were to migrate to Azure AD, can ISE join Azure AD Directory services in the same way that it would with an on-prem AD server? Is this supported?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎02-24-2023 01:23 PM

https://youtu.be/iAKyIHFqbgE

View solution in original post

ISE Integration with Intune MDM
ISE Integration with Intune MDM
youtu.be/iAKyIHFqbgE
Speaker: Greg Gibbs, Cisco Security Architect 00:00 Intro 02:23 Traditional Active Directory vs Azure Active Directory 05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined 07:00 Intune MDM Enrollment Options 09:08 Windows Autopilot 10:04 Windows Self-Service Out-of-Box Experience (OOBE) ...

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to packet2020

‎02-27-2023 06:57 PM - edited ‎02-27-2023 07:09 PM

From what I can tell based on the documentation and installing  Azure AD DS in my lab, AADDS is simply a SaaS offering by Azure for traditional Active Directory. Rather than have an IaaS deployment in the cloud where you manage the OS and deploy your own traditional Active Directory services, with AADDS the OS is managed by MS and you just have the limited control over the traditional AD services.

I was successfully able to perform the following actions in ISE using my AADDS managed domain. The functionality worked the same as with a normal traditional AD deployment on-prem or in the cloud (IaaS).

  • Create an AD join point and join my ISE node to the domain
  • Add cloud-only AD groups defined in Azure AD
  • Perform a Test User lookup for a cloud-only user account in Azure AD
  • Configure Admin Access for the ISE GUI to use my AD join point, map an Azure AD group to the Super User RBAC role, and login to the ISE GUI using a cloud-only AD user account (member of the group).

 

View solution in original post

6 Replies 6

Go to solution
dalbanil
Cisco Employee
Cisco Employee

‎02-24-2023 12:58 PM

Hello packet2020, it is possible, here you have an excellent document that guides you on how to do it, it also contains examples of the policies on ISE that you could use for authorization, let me know if this helped.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.pdf

 

0 Helpful

Go to solution
packet2020
Level 1
Level 1
In response to dalbanil

‎02-24-2023 01:06 PM

Hi @dalbanil 

Thanks for the reply, however this is not quite what I am asking. The above document is to integrate ISE with Azure AD using REST with ROPC. What I want to know is if can we join ISE to Azure AD Domain Services in the same way that we do today with traditional on-prem AD (configured under External Identity Sources -> Active Directory)? I'm aware that Azure AD DS has some limitations, however do these impact ISE join?

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to packet2020

‎02-24-2023 01:25 PM

Great question.  Is this the same thing as a "hybrid" Azure AD environment or a totally separate thing?  Is there still an on-premise AD footprint?

0 Helpful

Go to solution
packet2020
Level 1
Level 1
In response to ahollifield

‎02-24-2023 01:37 PM - edited ‎02-24-2023 01:38 PM

This would be in the absence of on-prem AD, so cloud only and no hybrid. So we would have Azure AD with an Azure AD Domain Services managed domain.

Windows servers can join the Azure AD DS managed domain so I would be interested to know if ISE can as well.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to packet2020

‎02-27-2023 06:57 PM - edited ‎02-27-2023 07:09 PM

From what I can tell based on the documentation and installing  Azure AD DS in my lab, AADDS is simply a SaaS offering by Azure for traditional Active Directory. Rather than have an IaaS deployment in the cloud where you manage the OS and deploy your own traditional Active Directory services, with AADDS the OS is managed by MS and you just have the limited control over the traditional AD services.

I was successfully able to perform the following actions in ISE using my AADDS managed domain. The functionality worked the same as with a normal traditional AD deployment on-prem or in the cloud (IaaS).

  • Create an AD join point and join my ISE node to the domain
  • Add cloud-only AD groups defined in Azure AD
  • Perform a Test User lookup for a cloud-only user account in Azure AD
  • Configure Admin Access for the ISE GUI to use my AD join point, map an Azure AD group to the Super User RBAC role, and login to the ISE GUI using a cloud-only AD user account (member of the group).

 

Go to solution
ahollifield
VIP
VIP

‎02-24-2023 01:23 PM

https://youtu.be/iAKyIHFqbgE

ISE Integration with Intune MDM
ISE Integration with Intune MDM
youtu.be/iAKyIHFqbgE
Speaker: Greg Gibbs, Cisco Security Architect 00:00 Intro 02:23 Traditional Active Directory vs Azure Active Directory 05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined 07:00 Intune MDM Enrollment Options 09:08 Windows Autopilot 10:04 Windows Self-Service Out-of-Box Experience (OOBE) ...
Customers Also Viewed These Support Documents