Allow Palo Alto GlobalProtect VPN for managed devices

While using Conditional Acces, we can require specific requirements for users, devices, apps, countries (locations), device states, etc. This gives us the opportunity to allow or deny authentications to Palo Alto Global Protect VPN with additional requirements.

This blog shows you how to prevent unmanaged devices from connecting from to your Palo Alto GlobalProtect infrastructure. Or the opposite: Only allow Palo Alto GlobalProtect authentication from managed devices.


There are some requirements which need to be met. Your GlobalProtect environment should make use of SAML authentication and Azure AD requires the Palo Alto Networks – GlobalProtect Enterprise-App from the Azure AD Gallery. The complete documentation can be found here.

Conditional Access Policy

Note: Organizations (or tenants) who require a managed/compliant device for All Cloud apps don’t need the following conditional access policies. The Palo Alto Networks – GlobalProtect (in Azure AD) is part of All Cloud apps.

There are several ways to achieve the required situation. I’ll show you the 2 most common scenario’s.

1: Block Palo Alto Networks – GlobalProtect for all users, for all locations, for all device platforms except for compliant or corporate (company owned) devices.

2: Allow (grant) Palo Alto Networks – GlobalProtect for all users, for all locations, for all device platforms and configure access controls Require device to be marked as compliant and/or Require hybrid Azure AD joined device.

logs

Once you made sure, the conditional access policy works as expected. You can change the status from report-only to on. Once the policy is enabled, verify the sign-in logs in Azure AD.

Failed authentications (from unmanaged devices) will report as follows:

Happy protecting! 🙂

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

6 − 3 =