Create a Microsoft Azure AD Realm

You can use a Microsoft Azure Active Directory (AD) realm with ISE to authenticate users and get user sessions for user control. We get groups from Azure AD and logged-in user session data from ISE.

You have the following options:

• Resource owned password credentials (ROPC): Enables users to log in with a client like AnyConnect using a user name and password. ISE sends user sessions to the Secure Firewall Management Center. For more information, see About Azure AD and Cisco ISE with Resource Owned Password Credentials.

  Additional resource: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials on learn.microsoft.com.

• Extensible Authentication Protocol (EAP) Chaining with Tunnel-based Extensible Authentication Protocol (TEAP) and Transport Layer Security (TLS), abbreviated EAP/TEAP-TLS: TEAP is a tunnel-based EAP method that establishes a secure tunnel and executes other EAP methods under the protection of that secured tunnel. ISE is used to validate user credentials and to send user sessions to the Secure Firewall Management Center. For more information, see About Azure AD and Cisco ISE with TEAP/EAP-TLS.

Note	Before deploying policies related to a Microsoft Azure AD realm, see User Limits for Microsoft Azure Active Directory Realms.