GlobalProtect VPN seems to be overprovisioned

Hi all!

I am trying to determine if something is wrong at a configuration level here or if I am just missing a step. I am looking at allowing GlobalProtect through an Azure Enterprise Application following instructions like these. In addition to the steps defined in that KB article, I have also clicked “Users and groups” in the Enterprise Application and restricted access to a specific security group of people who should have VPN access - we don’t want this open to every single user because not all of them require the ability to connect outside the office.

Everything is going according to plan, and users can make VPN connections… but that includes users who are absolutely not in the security group for the Enterprise Application. Everyone with an AAD account is able to make a connection regardless of whether they are in the security group or not.

To the best of my understanding, configuring the Enterprise Application this way should be preventing this. Am I incorrect in that assumption and reading the information wrong? Or is there a second step that I am missing somewhere that I need to apply? I’d appreciate any documentation anyone has that can point me in the right direction.

Thanks in advance!

We are using this same config without issue. Have you checked your Auth profile on the Gateway to make double/triple sure it is pointing at the correct Identity Provider for SAML?

Has the Assignment Required option been set under the enterprise apps properties?

Thanks for the suggestion; I will connect with our network team this week and see. Appreciate it!

Just double checked and yes, it has been. Thanks for the suggestion!

Update to this, this ended up being it after all. Someone else set up a second policy for testing that was supposed to be just for 3 people but that one did not have Assignment Required set, so everyone was getting in through the test. Thanks!