Create a Microsoft Azure AD Realm
You can use a Microsoft Azure Active Directory (AD) realm with Cisco ISE to authenticate users and get user sessions for user control. We get groups from Azure AD and logged-in user session data from Cisco ISE.
Authentication options
You have two authentication options:
-
Resource owned password credentials (ROPC): Enables users to log in with a client like AnyConnect using a user name and password. ISE sends user sessions to the Cloud-Delivered Firewall Management Center. For more information, see How Entra ID and Cisco ISE authentication with resource owned password credentials works.
Additional resource: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials on learn.microsoft.com.
-
Extensible Authentication Protocol (EAP) Chaining with Tunnel-based Extensible Authentication Protocol (TEAP) and Transport Layer Security (TLS), abbreviated EAP/TEAP-TLS: TEAP is a tunnel-based EAP method that establishes a secure tunnel and executes other EAP methods under the protection of that secured tunnel. ISE is used to validate user credentials and to send user sessions to the Cloud-Delivered Firewall Management Center. For more information, see How Entra ID and Cisco ISE authentication works with TEAP/EAP-TLS.
Note | Before deploying policies related to a Microsoft Azure AD realm, see User limits for microsoft azure active directory realms. |