Support Center > Search Results > SecureKnowledge Details
How to configure Azure AD and Office 365 with CloudGuard SaaS Identity Protection using Azure AD Custom Controls Technical Level
This article describes how to configure CloudGuard SaaS Identity Protection to work with Azure Active Directory (also known as Azure AD) as a custom authentication factor.

Feature Description

CloudGuard SaaS Identity Protection integrates with Azure AD Custom Controls to provide you with an additional layer of identity verification for user access to SaaS applications. 

Once the feature is enabled, users logging in to Microsoft Online will be redirected to CloudGuard SaaS Identity Protection for additional authentication based on the security policy configured in the CloudGuard SaaS portal.

Identity Protection provides advanced authentication and security controls including ID-Guard Agent verification, conditional access and One-Time-Pass-codes. Refer to the Identity Protection Admin Guide for the full details on policy options.

Important Notes

  1. Gradual deployment is possible, enabling selection of specific groups and users.
  2. Azure AD Custom Controls does not allow CloudGuard SaaS to enforce different access policies for different applications that authenticate with Azure AD. You can select to protect only specific applications with CloudGuard SaaS in the Azure AD portal (see step 8.b in Configuration in the Azure Active Directory portal). The policies in CloudGuard SaaS Identity Protection will apply to all the applications you selected.

Table of Contents

  • Prerequisites
  • Steps
    • Users and Groups Synchronization
    • Configuration of Azure Active Directory in CloudGuard SaaS Portal
    • Configuration in the Azure Active Directory portal


    • Azure Active Directory Premium P1 or P2


    Users and Groups Synchronization

    1. If your portal has 2 main tabs called Threat Protection and Identity Protection, navigate to Identity Protection\Configuration\SaaS Applications. Otherwise, navigate to Asset Management\SaaS Applications.

    2. Click on Azure Active Directory. In the window that opens, click Continue to redirect to the Microsoft sign-in page.

    3. After you sign in with global administrator credentials, you must give CloudGuard SaaS access permissions to Microsoft APIs.

    4. You will then be redirected to CloudGuard SaaS. Azure Active Directory now appears under the section for Activated applications. Allow up to a half hour for users and Groups to be synchronized with Azure AD.

    Configuration of Azure Active Directory in CloudGuard SaaS Portal

    1. Log into the CloudGuard SaaS portal.

    a. If your portal has 2 main tabs called Threat Protection and Identity Protection, navigate to Identity Protection\Configuration\Identity Providers. Otherwise, proceed to step 1.b.

    b. Go to the module Identity & Access. Under the tab Identity Providers, click on Add Identity Provider.

    2. In the wizard that opens, select Microsoft Azure AD and click Next.

    3. Enter your domain. For the integration method, choose the second option - Custom Controls and click next.

    4. Copy the content of the field Custom Controls by clicking on the icon next to it. You will use it later in the Azure AD portal. 

    5. Click Finish to save.

    Configuration in Azure Active Directory portal

    1. Go to the Azure Active Directory portal and log in with your administrator credentials.

    2. Click on the menu icon in the top left corner of the screen and select All Services.


    3. Type"conditional" in the search bar to find Azure AD Conditional Access. Click on it.

    4. Open the menu Custom Controls and click to add a new custom control.

    5. Paste the JSON object copied in the first section (step 4) into the custom control. Click Create.

    6. In the left side menu, click on Policies. Then click on New Policy.

    7. Fill out the rule name: for example, Check Point MFA.

    8. Under Assignments:

    a. Select the users you want to protect using CloudGuard SaaS. You can start with a small group and, later on, expand the protection to all your users.

    b. For cloud applications, select Office 365 and click Done.

    9. Under Access controls, click Grant and select the Check Point Custom Control created in step 5.

    10. Click On under Enable Policy. Click Create to save.

    11. You are done. Login requests for users you included in your Azure AD policy rule (step 8.a) will start to be transferred to CloudGuard SaaS Identity Protection within the next few minutes.

    If you experience issues, refer to the basic troubleshooting guide here.
    This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

    Give us Feedback
    Please rate this document