Learn how to configure an Azure Active Directory (Azure AD) in the Cloud Identity
Engine.
Configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine to
allow the Cloud Identity Engine to collect data from your Azure AD for policy rule
enforcement and user visibility.
To configure an Azure AD in the Cloud Identity
Engine, you must have at least the following role privileges in Azure AD:
Application Administrator and Cloud Application Administrator. For more information
about roles in Azure AD, refer to the following link.
To further reduce sync time and minimize the amount of
data collected by the Cloud Identity Engine, you can configure the Cloud Identity
Engine to sync only specific groups from your directory by filtering the groups (see
step 5). Because SCIM is most suitable for small and frequent data
requests, directory update intervals are restricted by Microsoft to once every 40
minutes. If you choose to filter the groups instead, directory updates can be as
often as every 5 minutes. Choose the best option for your deployment based on your
organizational and regulatory requirements.
When you configure an Azure AD for the
Cloud Identity Engine, log in, and grant the necessary permissions, Microsoft
automatically installs the Azure gallery app that allows the Cloud Identity Engine
to collect attributes from your Azure directory.
Configure the Client Credential Flow Using the CIE Gallery App
Copy the directory ID for your Azure directory.
Log in to the Azure administrator portal using the credentials of
the account you want to use to connect to the Cloud Identity Engine
(for example, a service account) and select
Overview
.
Copy the
Directory (tenant) ID
and store it
in a secure location.
Set up your Azure directory in the Cloud Identity Engine.
In the Cloud Identity Engine app, select
Directories
then click
Add New
Directory
.
Set Up
an
Azure
directory.
(Optional) Select additional information types to collect from your Azure
directory.
To simplify deployment, Azure automatically
enables the necessary permissions for these options when you click
Accept
in step 4.e. If you do not want to collect
additional information types, you can revoke permissions. If you
select an option but the permission has been revoked, the initial sync
cannot complete successfully. To enable permissions that have been
revoked, edit the directory, select the additional information type you
want to use, and test the connection to log in and confirm the updated
permissions. The following list provides the permissions for each
additional information type.
Collect user risk information from Azure AD Identity
Protection
Collect Roles and
Administrators (Administrative roles)
to retrieve
roleAssignments
attribute information for
users and groups. Allowing the Cloud Identity Engine to include this
information for analysis helps to prevent role-based malicious
attacks.
By default, the Cloud Identity Engine
enables this option for tenants that are associated with Cortex
XDR.
If you do not see the
Collect Roles and Administrators (Administrative
roles)
option, reconnect your
directory to select the option.
Select whether you want to
Collect enterprise
applications
data so that it displays when you View Directory Data. If you don't want to collect the application
data or you don't use application data in your security policy,
deselect the checkbox to decrease the sync time.
Configure your Azure directory information in the Cloud Identity
Engine.
Enter the directory ID you copied in step 1.b as the
Directory
ID
.
Click
Test Connection
to confirm that the
Cloud Identity Engine can successfully connect to your Azure AD
tenant.
Enter the email address or phone number for the account you use to
connect to the Cloud Identity Engine (for example, a service
account) then click
Next
.
Enter your password and
Sign in
.
Click
Accept
to grant the necessary
permissions for your Azure directory.
When you accept, Azure automatically
enables the following required permissions, as well as the
additional information type permissions listed in step 3:
Device.Read.All
—Application, Read
all devices
Group.Read.All
—Application, Read
all groups
User.Read.All
—Application, Read
all users' full profiles
User.Read
—Delegated, Sign in and
read user profile
(Optional) Enter a new name to
Customize Directory
Name
in the Cloud Identity Engine.
(Optional) Select whether you want to
Filter Azure Active
Directory Groups.
Select the group attribute you want to use as a filter.
Name
—Filter the groups based on the
group name.
Unique Identifier
—Filter the groups
based on the unique identifier for the group.
Select how you want to filter the groups.
(for
Name
attribute only)
begins with
—Filter the groups based
on a partial match for the text you enter.
The filter supports spaces in the
search query.
is equal to
—Filter the groups based
on an exact match for text you enter.
Enter the search query you want to use to filter the groups (either
alphanumeric character for a name or numeric characters for a unique
identifier).
(Optional) Configure an additional filter by clicking
Add OR
and repeating the previous three
steps for each filter you want to include.
If you select additional attributes as match conditions, the Cloud
Identity Engine initially attempts to find a match for the first
condition, then continues to match based on the additional
conditions you specify.
Submit
your changes and verify your directory
information when the
Log in to the hub and select the Cloud Identity Engine app.
In the Cloud Identity Engine app, select
Directories
Edit
.
Select the method you want to use to log in to your Azure AD.
Palo Alto Networks strongly recommends the client credential flow
(CIE Gallery App)
. Using the client credential flow requires you to configure
your Azure AD with the necessary permissions, so ensure you’ve completed all
of the predeployment steps necessary to Deploy or Migrate to Client Credential Flow for Azure AD.
Client
Credential Flow (CIE Gallery App)
(Default) —Use the
CIE app from the gallery with the Cloud Identity Engine. You will
only need to enter the directory ID.
Client Credential Flow
—By granting the
required permissions in advance, you do not need to log in to the
Azure AD to make changes to that directory in the Cloud Identity
Engine. For more information, refer to Deploy or Migrate to Client Credential Flow for Azure AD.
Select whether you want to
Collect user risk information from
Azure AD Identity Protection
If you select this option, you must grant
additional permissions for the Cloud Identity Engine in the Azure AD
Portal. For more information, refer to the documentation for Cloud Dynamic User
Groups.
Select whether you want to
Collect Roles and Administrators
(Administrative roles)
to retrieve
roleAssignments
attribute information for users
and groups. Allowing the Cloud Identity Engine to include this information
for analysis helps to prevent role-based malicious attacks. By default, the
Cloud Identity Engine enables this option for tenants that are associated with Cortex XDR.
If you select this option, you must grant
additional permissions for the Cloud Identity Engine in the Azure AD
Portal. For more information, refer to step 9.
If you do not see the
Collect Roles
and Administrators (Administrative roles)
option, reconnect your directory to
view and select the option.
Select whether you want to
Collect enterprise
applications
data so that it displays when you View Directory Data. If you don't want to collect the application data or you don't use
application data in your security policy, deselect the checkbox to decrease
the sync time.
For beta users of this feature, the Cloud
Identity Engine continues collecting enterprise application data for any
directories configured in your tenant during the beta and no further
configuration is required. If you configure a new directory, you must
select whether you want to collect enterprise application data from the
new directory and grant the additional privileges. For more info, see
step 9.
Restore
the connection
using your Azure
administrator credentials and grant permissions for the Cloud Identity
Engine to access the directory information.
You must have an administrative account for the
directory to grant the following required permissions.
Access Azure Service Management
View your basic profile
Maintain access to data you have given it access to
Read directory data
View your email address
Enter your email address or phone number then click
Next
.
Enter your password and
Sign in
.
Consent on behalf your organization
to grant
the permissions that the Cloud Identity Engine requires to get the
metadata with the list of directories and
Accept
to confirm.
The button displays
Logged In
when
the authentication is successful.
Click
Test Connection
to confirm that the Cloud
Identity Engine tenant can successfully communicate with the Azure
directory.
The Cloud Identity Engine checks for the primary directory, which
may not be the same as initial directory.
While the test is in progress, the button displays
Testing
.
When the Cloud Identity Engine verifies the connection, the button
displays
Success
and lists the domain
name and ID for the directory.
If the connection is not successful, the button displays
Failed
and a red exclamation point.
If this occurs, confirm you have entered your Azure credentials
correctly.
If you have more than one directory in your Azure AD, select the
radio button for each directory and
Test
Connection
.
Submit
each
directory individually.
Consent on behalf your organization
to grant the
permissions the Cloud Identity Engine requires to access the directory data
and
field to use a customized name for the directory
in the Cloud Identity Engine app.
You can use up to 15 lowercase alphanumeric
characters (including hyphens, periods, and underscores) for the
directory name in the Cloud Identity Engine. You don't need to change
the name of the directory itself, only the name of the directory in the
Cloud Identity Engine app.
If you are collecting data for the same domain
from both an on-premises Active Directory (AD) and an Azure AD, Palo
Alto Networks recommends that you create a separate Cloud Identity
Engine tenant for each directory type. If you must use the same Cloud
Identity Engine tenant and want to collect data from both an on-premises
AD and an Azure AD, you must customize the directory name for the Azure
AD (for example, by adding
The custom directory name is the alias for your Azure AD in your
Cloud Identity Engine tenant; it does not change the name of your
directory. If you do not enter a custom directory name, the Cloud
Identity Engine uses the default domain name.
The Cloud Identity Engine supports lowercase alphanumeric
characters, periods (.), hyphens (-), and underscores (_).
If you associate the Cloud Identity Engine with Cortex XDR, the
customized directory name must be identical to the
The custom directory name must match the
corresponding directory name in any app that you associate with the
Cloud Identity Engine. For example, if you are using the Cloud Identity
Engine with Cortex XDR, the custom directory name in the Cloud Identity
Engine must be the same as the directory name in Cortex XDR.
(Optional) Select whether you want to
Filter Azure Active
Directory Groups.
To reduce sync time and minimize the amount of data collected by the
Cloud Identity Engine, you can configure the Cloud Identity Engine to sync
only specific groups from your directory. To do this, you can Configure SCIM Connector for the Cloud Identity Engine or you can filter the groups.
Because SCIM is most suitable for small and frequent data requests,
directory update intervals are restricted to once every 40 minutes. If you
choose to filter the groups instead, directory updates can be as often as
every 5 minutes. Choose the best option for your deployment based on your
organizational and regulatory requirements.
Select the group attribute you want to use as a filter.
Name
—Filter the groups based on the
group name.
Unique Identifier
—Filter the groups
based on the unique identifier for the group.
Select how you want to filter the groups.
(for
Name
attribute
only)
begins with
—Filter the
groups based on a partial match for the text you enter.
is equal to
—Filter the groups based
on an exact match for text you enter.
Enter the text you want to use to filter the groups.
(Optional) Configure an additional filter by clicking
Add OR
and repeating the previous three
steps for each filter you want to include.
When you configure additional attributes, the Cloud Identity
Engine initially attempts to find a match for the first criteria in
the configuration, then continues to attempt to match based on the
additional criteria you specify.
When the configuration is complete,
Submit
the
configuration.
When you submit the configuration, the Cloud Identity Engine connects to
your Azure AD and begins synchronizing attributes. The
Sync
Status
column displays
In Progress
while the Cloud Identity Engine collects the attributes.
To add another Azure AD to your Cloud Identity
Engine tenant, you must first log out of the Azure AD that already
exists in the Cloud Identity Engine. After you log out, click
Use the Cloud
Identity Engine app to create, view, delete, rename,
or synchronize tenants and to view or customize the attributes
that the Cloud Identity Engine collects.
