Create a Microsoft Azure AD (SAML) Realm

You can use a Microsoft Azure Active Directory (AD) realm for either passive authentication or active authentication.

Passive authentication

Passive authentications occur when a user authenticates with Cisco ISE.

You have the following options, depending on your choice of user and group repository:

To use Cisco ISE as a repository for users and to perform passive authentication using Azure AD. For more information, see:
- About Azure AD and Cisco ISE with Resource Owned Password Credentials
- About Azure AD and Cisco ISE with TEAP/EAP-TLS
To download groups from Azure AD.

For more information about setting up Azure AD, see Configure Microsoft Azure Active Directory for Passive Authentication.

Active authentication

Active authentications occur when a user authenticates through preconfigured managed devices. Captive portal is another name for active authentication. Active authentication generally uses the same user repositories as passive authentication (the exceptions being ISE/ISE-PIC, and TS Agent, and the Passive Identity Agent, which are passive only).

To use Microsoft Azure AD as a captive portal requires users to authenticate with Azure AD. We refer to the realm as a Security Assertion Markup Language (SAML) realm because SAML is used to establish a trust relationship between:

A service provider (the Secure Firewall Threat Defense device or devices to which authentication requests are sent).
An identity provider (Microsoft Azure AD).

SAML is an open standard developed by the OASIS standards body; for more information, see the SAML Overview.

For more information, see How to Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal).