Configure Azure Active Directory
Learn how to configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine.
Configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud Identity Engine to collect data from your Azure AD for policy enforcement and user visibility.
To configure an Azure AD in the Cloud Identity Engine, you must have at least the following role privileges in Azure AD: Application Administrator and Cloud Application Administrator. For more information about roles in Azure AD, refer to the following link.
- Log in to the hub and select the Cloud Identity Engine app.
- In the Cloud Identity Engine app, select.DirectoriesAdd Directory
- Set UpaCloud Directoryand selectAzure.If you have an Azure AD in a government environment, selectAzure Government. For more information, contact your support representative.
- Select whether you want to use the authentication code flow or the client credential flow to log in to your Azure AD.The client credential flow is strongly recommended, as this method allows you to use an Azure AD service account for the Cloud Identity Engine app. Using the client credential flow requires you to configure your Azure AD with the necessary permissions, so ensure you have completed all of the pre-deployment steps necessary to Deploy Client Credential Flow for Azure Active Directory.To use the client certificate option, the Cloud Identity Engine requires access to the client certificate. For users who have Linux, ensure your client certificate is installed at the browser level certificate store, unless you are using GlobalProtect with a smart card. For all other operating systems, ensure you install the client certificate at the system level certificate store.
- Auth Code Flow—To make changes to your Azure AD in the Cloud Identity Engine, you must log in to the Azure AD.
- (Default)Client Credential Flow—By granting the required permissions in advance, you will not need to log in to the Azure AD to make changes to that directory in the Cloud Identity Engine.If you select this option, you must copy theDirectory IDfrom the Azure Portal and configure the following permissions for the user’s account:
- (Auth Code Flow only)Sign in with Azureusing your Azure administrator credentials and grant permissions for the Cloud Identity Engine to access the directory information.You must have an administrative account for the directory to grant the following required permissions.
- Access Azure Service Management
- View your basic profile
- Maintain access to data you have given it access to
- Read directory data
- View your email address
- Enter your email address or phone number then clickNext.
- Enter your password andSign in.
- Consent on behalf your organizationto grant the permissions that the Cloud Identity Engine requires to get the metadata with the list of directories andAcceptto confirm.The button displaysLogged Inwhen the authentication is successful.
- (Client credential flow only)Enter theDirectory ID,Client ID, andClient Secretto Deploy Client Credential Flow for Azure Active Directory.
- ClickTest Connectionto confirm that the Cloud Identity Engine instance can successfully communicate with the Azure directory.
- The Cloud Identity Engine checks for the primary directory, which may not be the same as initial directory.
- While the test is in progress, the button displaysTesting.
- When the Cloud Identity Engine verifies the connection, the button displaysSuccessand lists the domain name and ID for the directory.
- If the connection is not successful, the button displaysFailedand a red exclamation point. If this occurs, confirm you have entered your Azure credentials correctly.
- If you have more than one directory in your Azure AD, select the radio button for each directory andTest Connection.Submiteach directory individually.
- (Auth Code Flow only)Consent on behalf your organizationto grant the permissions the Cloud Identity Engine requires to access the directory data andAcceptto confirm.
- Customize Directory Nameto enter a different name for the directory.If you are collecting data for the same domain from both an on-premises Active Directory (AD) and an Azure AD, Palo Alto Networks recommends that you create a separate Cloud Identity Engine instance for each directory type. If you must use the same Cloud Identity Engine instance and want to collect data from both an on-premises AD and an Azure AD, you must customize the directory name for the Azure AD (for example, by adding.aadtoCustomize Directory Name) then Reconnect Azure Active Directory. Any applications that you associate with the Cloud Identity Engine use the custom directory name.
The custom directory name must match the corresponding directory name in any app that you associate with the Cloud Identity Engine. For example, if you are using the Cloud Identity Engine with Cortex XDR, the custom directory name in the Cloud Identity Engine must be the same as the directory name in Cortex XDR.
- The custom directory name is the alias for your Azure AD in your Cloud Identity Engine instance; it does not change the name on your directory. If you do not enter a custom directory name, the Cloud Identity Engine uses the default domain name.
- The Cloud Identity Engine supports lowercase alphanumeric characters, periods (.), hyphens (-), and underscores (_).
- If you associate the Cloud Identity Engine with Cortex XDR, the customized directory name must be identical to theDomainyou select in Cortex XDR.
- When the configuration is complete,Submitthe configuration.When you submit the configuration, the Cloud Identity Engine connects to your Azure AD and begins synchronizing attributes. TheSync Statuscolumn displaysIn Progresswhile the Cloud Identity Engine collects the attributes.To add another Azure AD to your Cloud Identity Engine instance, you must first log out of the Azure AD that already exists in the Cloud Identity Engine. After you log out, clickAdd Directoryand repeat Steps 2-6 using the credentials for the new Azure AD in Configure Azure Active Directory.Now that you have configured your Azure Active Directory in the Cloud Identity Engine, you can take the following next steps:
- For a comprehensive user identity and authentication solution, learn how to Authenticate Users with the Cloud Identity Engine.
Recommended For You
Recommended videos not found.