Cloud Identity Engine Getting Started
    : Reconnect or Edit Azure Active Directory
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Choose Your Directory Type
    5. Configure a Cloud-Based Directory
    6. Configure Azure Active Directory
    7. Reconnect or Edit Azure Active Directory
    Download PDF

    Cloud Identity Engine Getting Started

    Reconnect or Edit Azure Active Directory

    Table of Contents

    Reconnect or Edit Azure Active Directory

    Learn how to reconnect or edit your Azure Active Directory (Azure AD) configuration for the Cloud Identity Engine.
    The auth code flow method has been deprecated and is not available for new configurations, only existing configurations. For new configurations, refer to Configure Azure Using the CIE Enterprise App.
    1. Log in to the hub and select the Cloud Identity Engine app.
    2. In the Cloud Identity Engine app, select DirectoriesReconnect.
      If this Azure AD configuration has never successfully connected to the Cloud Identity Engine, select ActionsEdit.
    3. Select the method you want to use to log in to your Azure AD.
      Palo Alto Networks strongly recommends the CIE Enterprise App connection flow type. Using the client credential connection flow type requires you to configure your Azure AD with the necessary permissions, so ensure you’ve completed all of the predeployment steps necessary to Configure Azure Using the Client Credential Flow before you configure this option.
      • CIE Enterprise App (Recommended) (Default) — Configure Azure Using the CIE Enterprise App with the Cloud Identity Engine. This option requires Global Administrator privileges but you only need to enter the directory ID.
      • Client Credential Flow—By granting the required permissions in advance, you do not need to log in to the Azure AD to make changes to that directory in the Cloud Identity Engine. For more information, refer to Configure Azure Using the Client Credential Flow.
    4. Select whether you want to Collect user risk information from Azure AD Identity Protection to use in attribute-based Cloud Dynamic User Groups.
      If you select this option, you must grant additional permissions for the Cloud Identity Engine in the Azure AD Portal. For more information, refer to the documentation for Cloud Dynamic User Groups.
    5. Select whether you want to Collect Roles and Administrators (Administrative roles) to retrieve roleAssignments attribute information for users and groups. Allowing the Cloud Identity Engine to include this information for analysis helps to prevent role-based malicious attacks. By default, the Cloud Identity Engine enables this option for tenants that are associated with Cortex XDR.
      If you select this option, you must grant additional permissions for the Cloud Identity Engine in the Azure AD Portal. For more information, refer to step 9.
    6. Select whether you want to Collect enterprise applications data so that it displays when you View Directory Data. If you don't want to collect the application data or you don't use application data in your security policy, deselect the checkbox to decrease the sync time.
    7. Sign in with Azureor Restore the connection using your Azure administrator credentials and grant permissions for the Cloud Identity Engine to access the directory information.
      You must have an administrative account for the directory to grant the following required permissions.
      • Access Azure Service Management
      • View your basic profile
      • Maintain access to data you have given it access to
      • Read directory data
      • View your email address
      If this Azure AD configuration has never successfully connected to the Cloud Identity Engine, select Sign in with Azure.
      1. Enter your email address or phone number then click Next.
      2. Enter your password and Sign in.
      3. Consent on behalf your organization to grant the permissions that the Cloud Identity Engine requires to get the metadata with the list of directories and Accept to confirm.
        The button displays Logged In when the authentication is successful.
    8. Click Test Connection to confirm that the Cloud Identity Engine tenant can successfully communicate with the Azure directory.
      • The Cloud Identity Engine checks for the primary directory, which may not be the same as initial directory.
      • While the test is in progress, the button displays Testing.
      • When the Cloud Identity Engine verifies the connection, the button displays Success and lists the domain name and ID for the directory.
      • If the connection is not successful, the button displays Failed and a red exclamation point. If this occurs, confirm you have entered your Azure credentials correctly.
      • If you have more than one directory in your Azure AD, select the radio button for each directory and Test Connection. Submit each directory individually.
    9. Consent on behalf your organization to grant the permissions the Cloud Identity Engine requires to access the directory data and Accept to confirm.
      • If you want to use user risk information in attribute-based Cloud Dynamic User Groups, you must grant additional permissions. For more information, refer to the documentation on how to Create a Cloud Dynamic User Group.
      • If you select the Collect Roles and Administrators (Administrative roles) option in step 5 and you have already granted the Directory.Read.All scope, no further permissions are required. Otherwise, you must also grant the RoleManagement.Read.Directory scope to collect role and administrator information.
      • If you select the Collect enterprise applications option in step 6, you must grant the Application.Read.All scope.
    10. (Optional) Enter a unique name as the Directory Name (optional) field to use a customized name for the directory in the Cloud Identity Engine app.
      You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app.
      If you are collecting data for the same domain from both an on-premises Active Directory (AD) and an Azure AD, Palo Alto Networks recommends that you create a separate Cloud Identity Engine tenant for each directory type. If you must use the same Cloud Identity Engine tenant and want to collect data from both an on-premises AD and an Azure AD, you must customize the directory name for the Azure AD (for example, by adding .aad to Customize Directory Name) then Reconnect or Edit Azure Active Directory. Any applications that you associate with the Cloud Identity Engine use the custom directory name.
      • The custom directory name is the alias for your Azure AD in your Cloud Identity Engine tenant; it does not change the name of your directory. If you do not enter a custom directory name, the Cloud Identity Engine uses the default domain name.
      • The Cloud Identity Engine supports lowercase alphanumeric characters, periods (.), hyphens (-), and underscores (_).
      • If you associate the Cloud Identity Engine with Cortex XDR, the customized directory name must be identical to the Domain you select in Cortex XDR.
      The custom directory name must match the corresponding directory name in any app that you associate with the Cloud Identity Engine. For example, if you are using the Cloud Identity Engine with Cortex XDR, the custom directory name in the Cloud Identity Engine must be the same as the directory name in Cortex XDR.
    11. (Optional) Select whether you want to Filter Azure Active Directory Groups.
      To reduce sync time and minimize the amount of data collected by the Cloud Identity Engine, you can configure the Cloud Identity Engine to sync only specific groups from your directory. To do this, you can Configure SCIM Connector for the Cloud Identity Engine or you can filter the groups. Because SCIM is most suitable for small and frequent data requests, directory update intervals are restricted to once every 40 minutes. If you choose to filter the groups instead, directory updates can be as often as every 5 minutes. Choose the best option for your deployment based on your organizational and regulatory requirements.
      1. Select the group attribute you want to use as a filter.
        • Name—Filter the groups based on the group name.
        • Unique Identifier—Filter the groups based on the unique identifier for the group.
      2. Select how you want to filter the groups.
        • (for Name attribute only)begins with—Filter the groups based on a partial match for the text you enter.
        • is equal to—Filter the groups based on an exact match for text you enter.
      3. Enter the text you want to use to filter the groups.
      4. (Optional) Configure an additional filter by clicking Add OR and repeating the previous three steps for each filter you want to include.
        When you configure additional attributes, the Cloud Identity Engine initially attempts to find a match for the first criteria in the configuration, then continues to attempt to match based on the additional criteria you specify.
    12. When the configuration is complete, Submit the configuration.
      When you submit the configuration, the Cloud Identity Engine connects to your Azure AD and begins synchronizing attributes. The Sync Status column displays In Progress while the Cloud Identity Engine collects the attributes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.