Reconnect Azure Active Directory
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Configure a Client Certificate
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
- Get Help
Reconnect Azure Active Directory
Learn how to reconnect your Azure Active Directory (Azure
AD) to the Cloud Identity Engine.
If the connection between your Azure Active Directory (Azure AD) and the Cloud Identity Engine is
not active or if you want to make changes to your Azure AD configuration, you can
reconnect your Azure AD to the Cloud Identity Engine.
- Log in to the hub and select the Cloud Identity Engine tenant that contains the Azure AD you want to reconnect.
- SelectDirectories.
- Select.ActionsReconnect
- Select whether you want to make any changes to your configuration.
- If you want to use the gallery app that Microsoft automatically installs when you grant the necessary permissions, selectClient Credential Flow (CIE Gallery App). For more information, refer to Configure Azure Active Directory.
- If you want to authenticate with Azure, select theAuth Code Flow.This method is deprecated and is only available for existing configurations. If you are currently using the auth code flow, Palo Alto Networks recommends using theClient Credential Flow (CIE Gallery App)method.
- If you want to collect information about user risk levels and activity to use when you Create a Cloud Dynamic User Group,Collect user risk information from Azure AD Identity Protection.
- If you want to include role information to prevent role-based attacks,Collect Roles and Administrators (Administrative roles). For more information, see Configure Azure Active Directory.
- If you want to display application data when you View Directory Data,Collect enterprise applicationsdata. If you don't want to collect application data or you don't use application data in your security policy, deselect the checkbox to decrease the sync time.
- (Auth Code Flow only)Sign in with Azureusing your Azure administrator credentials and grant permissions for the Cloud Identity Engine to access the directory information.
- ClickTest Connectionto confirm the Cloud Identity Engine can access your Azure AD.
- (Optional)Customize Directory Nameif you want to change the name that the Cloud Identity Engine displays for this directory in your tenant.You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app. If your directory name contains more than 15 characters, you must change the directory name to contain a maximum of 15 characters.
- (Optional) Select whether you want toFilter Azure Active Directory Groups.To reduce sync time and minimize the amount of data collected by the Cloud Identity Engine, you can configure the Cloud Identity Engine to sync only specific groups from your directory. To do this, you can Configure SCIM Connector for the Cloud Identity Engine or you can filter the groups. Because SCIM is most suitable for small and frequent data requests, directory update intervals are restricted to once every 40 minutes. If you choose to filter the groups instead, directory updates can be as often as every 5 minutes. Choose the best option for your deployment based on your organizational and regulatory requirements.
- Select the group attribute you want to use as a filter.
- Name—Filter the groups based on the group name.
- Unique Identifier—Filter the groups based on the unique identifier for the group.
- Select how you want to filter the groups.
- (forNameattribute only)begins with—Filter the groups based on a partial match for the text you enter.
- is equal to—Filter the groups based on an exact match for text you enter.
- Enter the text you want to use to filter the groups.
- (Optional) Configure an additional filter by clickingAdd ORand repeating the previous three steps for each filter you want to include.When you configure additional attributes, the Cloud Identity Engine initially attempts to find a match for the first criteria in the configuration, then continues to attempt to match based on the additional criteria you specify.
- Submityour configuration to reconnect to the directory.