Deploy Client Credential Flow for Azure Active Directory

By granting just two read-only permissions for your Azure AD in advance, the Client Credential Flow option for Azure AD in the Cloud Identity Engine allows you to use a service account to log in to your Azure AD in the Cloud Identity Engine. Using a service account is strongly recommended, as this is a more secure method for directory access and does not require the account to be associated with a specific user.
If this is the first time you have created a Cloud Identity Engine instance, the Cloud Identity Engine app is not available in the Azure app gallery, so you must create a custom app.
If you already have an existing Azure AD configuration in the Cloud Identity Engine, you can easily migrate the existing configuration to use the client credential flow option.
  1. If you have not already done so, activate your Cloud Identity Engine instance.
  2. (Migration for existing configurations only) If you already have a Cloud Identity Engine instance and have configured an Azure AD and you want to migrate your configuration to the use the client credential flow option:
    1. Log in to the Azure Portal.
    2. Select
      Enterprise Applications
      .
    3. Select the Palo Alto Networks Cloud Identity Engine app.
    4. Select
      Security
      Permissions
      .
    5. Continue to Step 3.7.
  3. Grant the required read-only permissions in the Azure Portal.
    1. In the Azure Portal, select
      Home
      Azure Active Directory
      App Registrations
      .
    2. Click
      New registration
      .
    3. Enter a
      Name
      then click
      Register
      .
    4. Select
      API permissions
      then click
      Add a permission
      .
    5. Click
      Microsoft Graph
      then select
      Application permissions
      .
    6. Select the following permissions then click
      Add permissions
      :
      • Directory.Read.All
      • Organization.Read.All
    7. Click
      Grant admin consent for
      DirectoryName
      (where
      DirectoryName
      represents the name of your Azure AD).
    8. Click
      Yes
      to confirm.
  4. Collect the necessary configuration information from the Azure Portal.
    Because the Cloud Identity Engine automatically populates this information during migration of an existing Azure AD configuration to the client credential flow, continue to Step 5 for migration of an existing Azure AD configuration.
    1. Select
      Certificates and secrets
      then click
      New client secret
      .
    2. Enter a
      Description
      and
      Add
      the secret.
      When you add the secret, make sure to keep track of when the secret
      Expires
      . When the secret expires, you must configure the new secret in the Azure Portal and update the configuration in the Cloud Identity Engine app to replace the expired secret. Keep this in mind when selecting the expiry value for the secret. If you prioritize ease of configuration, select a longer expiration for the secret (the maximum value is two years). If security is of greater concern, select a shorter value for the secret’s expiration (the default is six months).
    3. Copy the
      Value
      of the secret and store it in a secure location.
    4. Click
      Overview
      then copy the
      Application (client) ID
      and store it in a secure location.
    5. Copy the
      Directory (tenant) ID
      and store it in a secure location.
  5. Add your Azure AD directory in the Cloud Identity Engine.
    If you are migrating an existing Azure AD configuration, select
    Actions
    Reconnect
    on the
    Directories
    page for the Azure AD you want to migrate, then continue to Step 5.3. The Cloud Identity Engine automatically populates the necessary information for Step 5.4, so you can continue to Step 6 (testing the connection).
    1. In the Cloud Identity Engine app, select
      Directories
      then click
      Add New Directory
      .
    2. Set Up
      an
      Azure
      directory.
    3. Select
      Client Credential Flow
      as the method you want to use to
      Connect to Azure AD
      .
    4. Enter your directory information as indicated, using the information you copied from the Azure Portal in the previous step:
      Copy from Azure Portal
      Enter In Cloud Identity Engine
      Directory (tenant) ID
      Directory ID
      Application (client) ID
      Client ID
      Value
      Client Secret
      During migration of an existing Azure AD configuration to the client credential flow, the Cloud Identity Engine automatically populates the Directory ID, Client ID, and the Client Secret.
  6. Confirm the Cloud Identity Engine app can successfully communicate with your directory.
    1. In the Cloud Identity Engine, click
      Test Connection
      to confirm that the Cloud Identity Engine can successfully connect to your Azure AD.
    2. (Optional) Enter a new name to
      Customize Directory Name
      in the Cloud Identity Engine.
  7. In the Cloud Identity Engine app,
    Submit
    your changes and verify your directory information when the
    Directories
    page displays.
    You can now use your Azure AD to enforce group-based policy with the Cloud Identity Engine.

Recommended For You