Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
1
Replies

DUO MFA for Palo Alto GLobal Protect VPN using Azure AD SSO (Cloud)

samdaniel
Level 1
Level 1

‎10-03-2025 02:54 AM

Scenario:

Planning to use DUO MFA for Plao Alto Global Protect VPN users where they Authenticate through Azure AD SSO (Entra ID - Free Version), after Authenticated Duo kicks in for MFA.

My query is what will be the traffic flow and whether the Free Entra ID is enough to trigger the DUO MFA.

 

 

0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎10-06-2025 09:51 AM

If you are planning to add Duo MFA to Entra as an extrnal authentication method, no, free Entra ID is not sufficient. https://duo.com/docs/microsoft-eam#prerequisites notes you need at least Entra ID P1.

This would be for the traffic flow:
GP Client access request >> Palo Alto >>SAML>> Entra ID >>OIDC>> Duo MFA >>OIDC>> Entra ID >>SAML>> Palo Alto >> GP Client access granted

If you want to use Duo SSO with Entra ID as the external SAML authentication source, then yes, this would work with Entra ID free. The Palo Alsto SSO instructions are at https://duo.com/docs/sso-paloalto-globalprotect and information about using external SAML authentication sources for Duo SSO (like Entra ID) is here: https://duo.com/docs/sso#saml

This would be for the traffic flow:
GP Client access request >> Palo Alto >>SAML>> Duo SSO >>SAML>> Entra ID >>SAML>> Duo SSO + Duo MFA >>SAML>> Palo Alto >> GP Client access granted

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents