Create a Microsoft Azure AD (SAML) Realm for Passive Authentication

The following topics discuss how to run the multi-step wizard required to create a Microsoft Azure AD (SAML) realm for passive authentication.

You can use a Microsoft Azure Active Directory (AD) realm with Cisco ISE to authenticate users and get user sessions for user control. We get groups from Azure AD and logged-in user session data from Cisco ISE.

You have the following options:

• Resource owned password credentials (ROPC): Enables users to log in with a client like Cisco Secure Client using a user name and password. ISE sends user sessions to the cloud-delivered Firewall Management Center. For more information, see About Azure AD and Cisco ISE with Resource Owned Password Credentials.

  Additional resource: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials on learn.microsoft.com.

• Extensible Authentication Protocol (EAP) Chaining with Tunnel-based Extensible Authentication Protocol (TEAP) and Transport Layer Security (TLS), abbreviated EAP/TEAP-TLS: TEAP is a tunnel-based EAP method that establishes a secure tunnel and executes other EAP methods under the protection of that secured tunnel. ISE is used to validate user credentials and to send user sessions to the cloud-delivered Firewall Management Center. For more information, see About Azure AD and Cisco ISE with TEAP/EAP-TLS.

To configure the realm, complete all tasks in the following order:

1. Configure Azure AD Basic Settings.

2. Get required information for your realm as discussed in Get Required Information For Your Microsoft Azure AD Realm.

3. Microsoft Azure AD (SAML) Realm: SAML Details.