Create a Microsoft Azure AD (SAML) realm for passive authentication

A Microsoft Azure AD (SAML) realm for passive authentication retrieves groups from Microsoft Azure Active Directory (now called Entra ID) and logged-in user session data from Cisco ISE to authenticate users.

Authentication options

You have the following authentication options:

Resource owned password credentials (ROPC): Enables users to log in with a client like Cisco Secure Client using a user name and password. ISE sends user sessions to the Cloud-Delivered Firewall Management Center. For more information, see How Entra ID and Cisco ISE authentication with resource owned password credentials works.

Additional resource: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials on learn.microsoft.com.
Extensible Authentication Protocol (EAP) Chaining with Tunnel-based Extensible Authentication Protocol (TEAP) and Transport Layer Security (TLS), abbreviated EAP/TEAP-TLS: TEAP is a tunnel-based EAP method that establishes a secure tunnel and executes other EAP methods under the protection of that secured tunnel. ISE is used to validate user credentials and to send user sessions to the Cloud-Delivered Firewall Management Center. For more information, see How Entra ID and Cisco ISE authentication works with TEAP/EAP-TLS.

To configure the realm, complete all tasks in this order:

Configure Entra ID basic settings.
Get required information for your realm as discussed in Get required information For Your Microsoft Azure AD realm.
Microsoft Azure AD (SAML) realm: SAML details.