The GlobalProtect VPN normally would prompt me with an Office 365 page to specify which account I want to login with but that no longer appears and will automatically use my windows account. If you are not seeing the Global Protect icon in your menu bar, there is a CLI command to bring it up: On the terminal prompt, enter "globalprotect launch-ui" (NOTE: It may take longer than expected to see the Online Passport page to appear in the next step) We have MFA deployed via a conditional access rule. As shown above, the SAML agent configuration has to have the "Connect Method" set to pre-logon, even though it has nothing to do with it. This is similar to the idea of a Kerberos ticket you'd get on-prem from an AD Domain Controller running the KDC. Under the GlobalProtect VPN SAML App on Okta add a new policy that users should use MFA so they have to verify their login with the App. It is set up to take domain credentials, plus microsoft MFA, plus checks for a certificate on client machine. While RADIUS or SAML support in GlobalProtect allows you to achieve OTP based authentication at the time of connecting to GlobalProtect, Multi-Factor Authentication (MFA) provides a way to require OTP at the time of accessing specific resources. The Browser connection to the portal functions how I would expect, every time you close the browser and log back in, you are prompted for 2FA. His MFA settings is to be notified via the phone app. Attachments The RADIUS functions correctly, prompting users every time they connect, however since RADIUS is doing the authentication the client just sits there leaving users clueless as to what to do next. its not fool proof as occasionally the firewall does not even try to send the auth requests out via the specified interface, for that we have to modify our authentication server profile, commit the change, and then magically the firewall starts sending the authentication requests out If everything is configured properly and when connecting your GlobalProtect App should prompt for your login credentials: Whether you want a Push Notification or to enter a PIN-code (OTP). Since you mentioned that you need the users to be MFA challenged when they are logging in from untrusted locations, the conditional access policy in this case is in conflict. More on this in the next article. "Prelogon" with the value of "1". I received a call today for one user that experience an excessive amount of MFA prompts. The GP client will automatically connect to this portal, as soon as it has been installed. Looking at the sign-ins report for this user we have confirmed the IPs that i see is his external IP but there is a lot of failures and interrupted. If you have setup the SSO correctly, you should not be having multiple MFA prompts, https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial#configure-azure-ad-sso You can share us a user information through which We can try to identify and understand why the multiple prompts. This quick and seemingly uneventful sign-in process results in the user/Windows 10 device obtaining a new type of cloud-aware credential from Azure AD known as a "Primary Refresh Token" - or PRT. The authd.log in CLI shows " "Auth FAILED " here To disconnect, click the GlobalProtect icon again, then click Disconnect. I am getting the error message that states " The account needs to be added as an external user in the tenant first. 2,929 . Conclusion. However we have a weird little issue where some users (two so far) only have to provide MFA when connecting - globalprotect does not prompt for username/password. Download the GlobalProtect App Software Package for Hosting on the Portal Host App Updates on the Portal Host App Updates on a Web Server Test the App Installation Download and Install the GlobalProtect Mobile App Deploy App Settings Transparently Customizable App Settings User Behavior Options App Behavior Options Script Deployment Options we have global protect deployed with azure mfa authentication. This sets pre-logon active. If this answer was helpful, click "Mark as Answer" or Up-Vote. GlobalProtect Authentication set to RADIUS RADIUS Server Authentication Protocol PEAP-MSCHAPv2 Azure RADIUS MFA configured with Text Message After entering username/password for GlobalProtect second authentication prompt for "Enter PIN code" never popped up. This is actually all working well for the most part. As per the WhatIF results, the MFA requirement is "satisfied" - hence the users have been granted access.