Learn how to configure an Azure Active Directory (Azure
AD) in the Cloud Identity Engine.
Configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the
Cloud Identity Engine to collect data from your Azure AD for policy rule enforcement and
user visibility.
To configure an Azure AD in the Cloud Identity Engine, you must
have at least the following role privileges in Azure AD: Application Administrator
and Cloud Application Administrator. For more information about roles in Azure AD,
refer to the following link.
Select the method you want to use to log in to your Azure AD.
Palo Alto Networks strongly recommends the client credential flow, as this
method allows you to use an Azure AD service account for the Cloud Identity
Engine app. Using the client credential flow requires you to configure your
Azure AD with the necessary permissions, so ensure you’ve completed all of the
predeployment steps necessary to Deploy or Migrate to Client Credential Flow for Azure AD.
Auth Code Flow
—To make changes to your Azure AD
in the Cloud Identity Engine, you must log in to the Azure AD.
(Default)
Client Credential Flow
—By granting the
required permissions in advance, you do not need to log in to the Azure
AD to make changes to that directory in the Cloud Identity Engine.
If you select this option, you must copy the
Directory ID
from the Azure Portal and
configure the following permissions for the user’s account:
If you select this option, you must grant additional
permissions for the Cloud Identity Engine in the Azure AD Portal. For more
information, refer to the documentation for Cloud Dynamic User Groups.
Select whether you want to
Collect enterprise
applications
data so that it displays when you View Directory Data. If
you don't want to collect the application data or you don't use application data
in your security policy, deselect the checkbox to decrease the sync time.
For beta users of this feature, the Cloud Identity
Engine continues collecting enterprise application data for any directories
configured in your tenant during the beta and no further configuration is
required. If you configure a new directory, you must select whether you want
to collect enterprise application data from the new directory.
(
Auth Code Flow only
)
Sign in with Azure
using
your Azure administrator credentials and grant permissions for the Cloud
Identity Engine to access the directory information.
You must have an administrative account for the directory to grant the
following required permissions.
Access Azure Service Management
View your basic profile
Maintain access to data you have given it access to
Read directory data
View your email address
Enter your email address or phone number then click
Next
.
Enter your password and
Sign in
.
Consent on behalf your organization
to grant the
permissions that the Cloud Identity Engine requires to get the metadata
with the list of directories and
to confirm that the Cloud Identity
Engine tenant can successfully communicate with the Azure directory.
The Cloud Identity Engine checks for the primary directory, which may
not be the same as initial directory.
While the test is in progress, the button displays
Testing
.
When the Cloud Identity Engine verifies the connection, the button
displays
Success
and lists the domain name
and ID for the directory.
If the connection is not successful, the button displays
Failed
and a red exclamation point. If
this occurs, confirm you have entered your Azure credentials correctly.
If you have more than one directory in your Azure AD, select the radio
button for each directory and
Test Connection
.
Submit
each directory individually.
(Auth Code Flow only)
Consent on behalf
your organization
to grant the permissions the Cloud
Identity Engine requires to access the directory data and
Accept
to
confirm.
(Optional) Enter a unique name as the
Directory Name
(optional)
field to use a customized name for the directory in
the Cloud Identity Engine app.
You can use up to 15 lowercase alphanumeric
characters (including hyphens, periods, and underscores) for the directory
name in the Cloud Identity Engine. You don't need to change the name of the
directory itself, only the name of the directory in the Cloud Identity
Engine app.
If you are collecting data for the same domain from both an on-premises
Active Directory (AD) and an Azure AD, Palo Alto Networks recommends that
you create a separate Cloud Identity Engine tenant for each directory type.
If you must use the same Cloud Identity Engine tenant and want to collect
data from both an on-premises AD and an Azure AD, you must customize the
directory name for the Azure AD (for example, by adding
The custom directory name is the alias for your Azure AD in your Cloud
Identity Engine tenant; it does not change the name on your directory.
If you do not enter a custom directory name, the Cloud Identity Engine
uses the default domain name.
The Cloud Identity Engine supports lowercase alphanumeric characters,
periods (.), hyphens (-), and underscores (_).
If you associate the Cloud Identity Engine with Cortex XDR, the
customized directory name must be identical to the
The custom directory name must match the corresponding directory name in
any app that you associate with the Cloud Identity Engine. For example, if
you are using the Cloud Identity Engine with Cortex XDR, the custom
directory name in the Cloud Identity Engine must be the same as the
directory name in Cortex XDR.
When the configuration is complete,
Submit
the
configuration.
When you submit the configuration, the Cloud Identity Engine connects to your Azure AD and
begins synchronizing attributes. The
Sync Status
column
displays
In Progress
while the Cloud Identity Engine
collects the attributes.
To add another Azure AD to your Cloud Identity
Engine tenant, you must first log out of the Azure AD that already exists in
the Cloud Identity Engine. After you log out, click
Use the Cloud
Identity Engine app to create, view, delete, rename, or
synchronize tenants and to view or customize the attributes that the
Cloud Identity Engine collects.