Create a Microsoft Azure AD (SAML) Realm for Passive Authentication

The following topics discuss how to run the multi-step wizard required to create a Microsoft Azure AD (SAML) realm for passive authentication.

You can use a Microsoft Azure Active Directory (AD) realm with Cisco ISE to authenticate users and get user sessions for user control. We get groups from Azure AD and logged-in user session data from Cisco ISE.

You have the following options:

• Resource owned password credentials (ROPC): Enables users to log in with a client like Cisco Secure Client using a user name and password. ISE sends user sessions to the Secure Firewall Management Center. For more information, see About Azure AD and Cisco ISE with Resource Owned Password Credentials.

  Additional resource: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials on learn.microsoft.com.

• Extensible Authentication Protocol (EAP) Chaining with Tunnel-based Extensible Authentication Protocol (TEAP) and Transport Layer Security (TLS), abbreviated EAP/TEAP-TLS: TEAP is a tunnel-based EAP method that establishes a secure tunnel and executes other EAP methods under the protection of that secured tunnel. ISE is used to validate user credentials and to send user sessions to the Secure Firewall Management Center. For more information, see About Azure AD and Cisco ISE with TEAP/EAP-TLS.

To configure the realm, complete all tasks in the following order:

1. Configure Azure AD Basic Settings.

2. Get required information for your realm as discussed in Get Required Information For Your Microsoft Azure AD Realm.

3. Microsoft Azure AD (SAML) Realm: SAML Details.