Support Center > Search Results > SecureKnowledge Details
CloudGuard SaaS Identity Protection with Azure AD - Troubleshooting Technical Level
Solution
This page will help you resolve typical issues you may run into while configuring CloudGuard SaaS Identity Protection to work with Azure Active Directory.

Refer to sk166573 for detailed configuration steps.

If you do not find the solution to your issue on this page, open a ticket with Check Point Support

Issue: I am trying to add a new Custom Control in my Azure Active Directory portal but the option is grayed out.

Resolution:

Make sure that you have one of the following subscriptions: Office 365 E1, E3, E5, F1 and F3, Azure Active Directory Premium P1 and P2 (for more information on subscription options see here).

Issue: I get the following error when I try to save the Custom Control object in my Azure AD portal: "Unable to save the custom control. Review the JSON text and try again."

Resolution:

1. Log into your CloudGuard SaaS portal and navigate to:
  • Identity Protection\Configuration\Identity Providers (if your portal has 2 main tabs - Threat Protection and Identity Protection)
  • Otherwise, Identity & Access\Identity Providers
2. Click on the 3 dots at the top-right corner of the box for Azure AD and choose Edit.


3. Click on the content of Custom Controls to copy the entire object and paste it in Azure AD. You should now be able to save the new custom control.

 


Issue: I accidentally deleted the Identity Provider from my CloudGuard SaaS portal.

Resolution: 
  1. Follow the first part of the procedure in sk166573 (Configuration of Azure Active Directory in CloudGuard SaaS Portal).
  2. In your Azure AD portal, navigate to Conditional Access\Policies and delete the existing rule Check Point MFA (the rule using the Check Point Custom Control).
  3. Under Custom Controls, delete the Check Point Custom Controls object.
  4. Follow the second part of the procedure in sk166573 (Configuration in Azure Active Directory portal). 

Issue: I am not able to log into Office 365 (I see a page saying that my login request has been denied).

Resolution: 

1. Make sure that Azure AD is configured with the correct domain name in your CloudGuard SaaS portal. For example, if you log into Office 365 using 'user@mycompany.com', you must have Azure AD configured with 'mycompany.com' as the domain.

2. Log into your CloudGuard SaaS portal and navigate to:
  • Identity Protection\Configuration\Identity Providers (if your portal has 2 main tabs - Threat Protection and Identity Protection)
  • Identity & Access\Identity Providers - otherwise.
3. Make sure that the chosen integration method for Azure AD is Custom Controls. It is displayed in the Azure AD box.

 

4. Make sure that the Check Point Custom Control in the Azure AD portal is the same as the one in your CloudGuard SaaS portal.
  1. Click on the 3 dots on the top-right corner of the box for Azure AD and choose Edit.
  2. Click on the content of Custom Controls to copy the entire object.. 
  3.  In your Azure AD portal, navigate to Conditional Access\Custom Controls and open Check Point Custom Controls.
5. Compare the two objects and, if necessary, paste the JSON copied from the CloudGuard SaaS portal into Azure AD. Then save.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment