Create a Microsoft Azure AD (SAML) Realm for passive authentication

The following topics discuss how to run the multi-step wizard required to create a Microsoft Azure AD (SAML) (now called Entra ID) realm for passive authentication.

You can use a Microsoft Azure Active Directory (AD) realm with Cisco ISE to authenticate users and get user sessions for user control. We get groups from Entra ID and logged-in user session data from Cisco ISE.

You have the following options:

• Resource owned password credentials (ROPC): Enables users to log in with a client like Cisco Secure Client using a user name and password. ISE sends user sessions to the Cloud-Delivered Firewall Management Center. For more information, see About Entra ID and Cisco ISE with resource owned password credentials.

  Additional resource: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials on learn.microsoft.com.

• Extensible Authentication Protocol (EAP) Chaining with Tunnel-based Extensible Authentication Protocol (TEAP) and Transport Layer Security (TLS), abbreviated EAP/TEAP-TLS: TEAP is a tunnel-based EAP method that establishes a secure tunnel and executes other EAP methods under the protection of that secured tunnel. ISE is used to validate user credentials and to send user sessions to the Cloud-Delivered Firewall Management Center. For more information, see About Entra ID and Cisco ISE with TEAP/EAP-TLS.

To configure the realm, complete all tasks in the following order:

1. Configure Entra ID basic settings.

2. Get required information for your realm as discussed in Get required information For Your Microsoft Azure AD realm.

3. Microsoft Azure AD (SAML) realm: SAML details.