GlobalProtect SSO does not work, seperate MFA prompts for M365 and GlobalProtect

RafaelD 11 Reputation points

Dear all,

I am doing some testing on Notebooks (Win10, hybrid-joined) that run GlobalProtect and M365 Apps for Enterprise. We have tested them with different Conditional Access Policies, yet there are always separate MFA requests for M365 and GlobalProtect, so I have to assume GP does not access the Primary Refresh Token.
GlobalProtect was configured according to Palo Alto recommendations and SAML SSO enabled.
a) is that behaviour expected? Some personnel of the service provider claimed, as GP didnt support OpenAuth/Openid, this was to be expected.
b) in the latter case, is there a work around?
Thanks so much!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

    @RafaelD-5678 Thanks for reaching out and apologies for delay on this. Can you point to the step by step setup you followed for this ?
    Did you follow : or something else ?

    If you have setup the SSO correctly, you should not be having multiple MFA prompts,

    You can share us a user information through which We can try to identify and understand why the multiple prompts. You can email us at with subject "Atten-Vipul" and we can get back to you for further details.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments