: Configure Azure Active Directory
Focus
Focus

Configure Azure Active Directory

Table of Contents

Configure Azure Active Directory

Learn how to configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine.
Configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud Identity Engine to collect data from your Azure AD for policy rule enforcement and user visibility.
To configure an Azure AD in the Cloud Identity Engine, you must have at least the following role privileges in Azure AD: Application Administrator and Cloud Application Administrator. For more information about roles in Azure AD, refer to the following link.
As an alternative, you can also Configure SCIM Connector for the Cloud Identity Engine to select the attribute data you want to collect with the Cloud Identity Engine.
You can select one of two methods for the Cloud Identity Engine to use to connect to your Azure AD:
  • The Auth Code Flow, which requires you to log in to make changes to the directory configuration in the Cloud Identity Engine
  • The Client Credential Flow, which initially requires additional permissions but does not require you to log in to change the directory configuration in the Cloud Identity Engine

Deploy Auth Code Flow for Azure AD

  1. Log in to the hub and select the Cloud Identity Engine app.
  2. In the Cloud Identity Engine app, select
    Directories
    Add New Directory
    .
  3. Set Up
    a
    Cloud Directory
    and select
    Azure
    .
    If you have an Azure AD in a government environment, select
    Azure Government
    and refer to Configure the Cloud Identity Agent if you’re using the Cloud Identity agent for an on-premises directory and Configure Cloud Identity Engine Authentication on the Firewall or Panorama if you want to authenticate your users with the Cloud Identity Engine. For more information, contact your support representative.
  4. Select the method you want to use to log in to your Azure AD.
    Palo Alto Networks strongly recommends the client credential flow, as this method allows you to use an Azure AD service account for the Cloud Identity Engine app. Using the client credential flow requires you to configure your Azure AD with the necessary permissions, so ensure you’ve completed all of the predeployment steps necessary to Deploy or Migrate to Client Credential Flow for Azure AD.
    • Auth Code Flow
      (Default) —To make changes to your Azure AD in the Cloud Identity Engine, you must log in to the Azure AD.
    • Client Credential Flow
      —By granting the required permissions in advance, you do not need to log in to the Azure AD to make changes to that directory in the Cloud Identity Engine. For more information, refer to Deploy or Migrate to Client Credential Flow for Azure AD.
  5. Select whether you want to
    Collect user risk information from Azure AD Identity Protection
    to use in attribute-based Cloud Dynamic User Groups.
    If you select this option, you must grant additional permissions for the Cloud Identity Engine in the Azure AD Portal. For more information, refer to the documentation for Cloud Dynamic User Groups.
  6. Select whether you want to
    Collect Roles and Administrators (Administrative roles)
    to retrieve
    roleAssignments
    attribute information for users and groups. Allowing the Cloud Identity Engine to include this information for analysis helps to prevent role-based malicious attacks. By default, the Cloud Identity Engine enables this option for tenants that are associated with Cortex XDR.
    If you select this option, you must grant additional permissions for the Cloud Identity Engine in the Azure AD Portal. For more information, refer to step 10.
    If you do not see the
    Collect Roles and Administrators (Administrative roles)
    option, reconnect your directory to view and select the option.
  7. Select whether you want to
    Collect enterprise applications
    data so that it displays when you View Directory Data. If you don't want to collect the application data or you don't use application data in your security policy, deselect the checkbox to decrease the sync time.
    For beta users of this feature, the Cloud Identity Engine continues collecting enterprise application data for any directories configured in your tenant during the beta and no further configuration is required. If you configure a new directory, you must select whether you want to collect enterprise application data from the new directory and grant the additional privileges. For more info, see step 10.
  8. Sign in with Azure
    using your Azure administrator credentials and grant permissions for the Cloud Identity Engine to access the directory information.
    You must have an administrative account for the directory to grant the following required permissions.
    • Access Azure Service Management
    • View your basic profile
    • Maintain access to data you have given it access to
    • Read directory data
    • View your email address
    1. Enter your email address or phone number then click
      Next
      .
    2. Enter your password and
      Sign in
      .
    3. Consent on behalf your organization
      to grant the permissions that the Cloud Identity Engine requires to get the metadata with the list of directories and
      Accept
      to confirm.
      The button displays
      Logged In
      when the authentication is successful.
  9. Click
    Test Connection
    to confirm that the Cloud Identity Engine tenant can successfully communicate with the Azure directory.
    • The Cloud Identity Engine checks for the primary directory, which may not be the same as initial directory.
    • While the test is in progress, the button displays
      Testing
      .
    • When the Cloud Identity Engine verifies the connection, the button displays
      Success
      and lists the domain name and ID for the directory.
    • If the connection is not successful, the button displays
      Failed
      and a red exclamation point. If this occurs, confirm you have entered your Azure credentials correctly.
    • If you have more than one directory in your Azure AD, select the radio button for each directory and
      Test Connection
      .
      Submit
      each directory individually.
  10. Consent on behalf your organization
    to grant the permissions the Cloud Identity Engine requires to access the directory data and
    Accept
    to confirm.
    • If you want to use user risk information in attribute-based Cloud Dynamic User Groups, you must grant additional permissions. For more information, refer to the documentation on how to Create a Cloud Dynamic User Group.
    • If you select the
      Collect Roles and Administrators (Administrative roles)
      option in step 6 and you have already granted the
      Directory.Read.All
      scope, no further permissions are required. Otherwise, you must also grant the
      RoleManagement.Read.Directory
      scope to collect role and administrator information.
    • If you select the
      Collect enterprise applications
      option in step 7, you must grant the
      Application.Read.All
      scope.
  11. (Optional) Enter a unique name as the
    Directory Name (optional)
    field to use a customized name for the directory in the Cloud Identity Engine app.
    You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app.
    If you are collecting data for the same domain from both an on-premises Active Directory (AD) and an Azure AD, Palo Alto Networks recommends that you create a separate Cloud Identity Engine tenant for each directory type. If you must use the same Cloud Identity Engine tenant and want to collect data from both an on-premises AD and an Azure AD, you must customize the directory name for the Azure AD (for example, by adding
    .aad
    to
    Customize Directory Name
    ) then Reconnect Azure Active Directory. Any applications that you associate with the Cloud Identity Engine use the custom directory name.
    • The custom directory name is the alias for your Azure AD in your Cloud Identity Engine tenant; it does not change the name of your directory. If you do not enter a custom directory name, the Cloud Identity Engine uses the default domain name.
    • The Cloud Identity Engine supports lowercase alphanumeric characters, periods (.), hyphens (-), and underscores (_).
    • If you associate the Cloud Identity Engine with Cortex XDR, the customized directory name must be identical to the
      Domain
      you select in Cortex XDR.
    The custom directory name must match the corresponding directory name in any app that you associate with the Cloud Identity Engine. For example, if you are using the Cloud Identity Engine with Cortex XDR, the custom directory name in the Cloud Identity Engine must be the same as the directory name in Cortex XDR.
  12. When the configuration is complete,
    Submit
    the configuration.
    When you submit the configuration, the Cloud Identity Engine connects to your Azure AD and begins synchronizing attributes. The
    Sync Status
    column displays
    In Progress
    while the Cloud Identity Engine collects the attributes.
    To add another Azure AD to your Cloud Identity Engine tenant, you must first log out of the Azure AD that already exists in the Cloud Identity Engine. After you log out, click
    Add New Directory
    and repeat steps 4through 12 using the credentials for the new Azure AD in Configure Azure Active Directory.
    Now that you have configured your Azure Active Directory in the Cloud Identity Engine, you can take the following next steps:

Recommended For You