Reconnect Azure Active Directory

Log in to the hub and select the Cloud Identity Engine tenant that contains the Azure AD you want to reconnect.
Select
Directories
.
Select
Actions
Reconnect
.
Select whether you want to make any changes to your configuration.
If you want to use the gallery app that Microsoft automatically installs when you grant the necessary permissions, select
Client Credential Flow (CIE Gallery App)
. For more information, refer to Configure Azure Active Directory.
If you want to authenticate with Azure, select the
Auth Code Flow
.
This method is deprecated and is only available for existing configurations. If you are currently using the auth code flow, Palo Alto Networks recommends using the
Client Credential Flow (CIE Gallery App)
method.
If you want to collect information about user risk levels and activity to use when you Create a Cloud Dynamic User Group,
Collect user risk information from Azure AD Identity Protection
.
If you want to include role information to prevent role-based attacks,
Collect Roles and Administrators (Administrative roles)
. For more information, see Configure Azure Active Directory.
If you want to display application data when you View Directory Data,
Collect enterprise applications
data. If you don't want to collect application data or you don't use application data in your security policy, deselect the checkbox to decrease the sync time.
(
Auth Code Flow only
)
Sign in with Azure
using your Azure administrator credentials and grant permissions for the Cloud Identity Engine to access the directory information.
Click
Test Connection
to confirm the Cloud Identity Engine can access your Azure AD.
(
Optional
)
Customize Directory Name
if you want to change the name that the Cloud Identity Engine displays for this directory in your tenant.
You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app. If your directory name contains more than 15 characters, you must change the directory name to contain a maximum of 15 characters.
(Optional) Select whether you want to
Filter Azure Active Directory Groups.
To reduce sync time and minimize the amount of data collected by the Cloud Identity Engine, you can configure the Cloud Identity Engine to sync only specific groups from your directory. To do this, you can Configure SCIM Connector for the Cloud Identity Engine or you can filter the groups. Because SCIM is most suitable for small and frequent data requests, directory update intervals are restricted to once every 40 minutes. If you choose to filter the groups instead, directory updates can be as often as every 5 minutes. Choose the best option for your deployment based on your organizational and regulatory requirements.
Select the group attribute you want to use as a filter.

Name
—Filter the groups based on the group name.
Unique Identifier
—Filter the groups based on the unique identifier for the group.

Select how you want to filter the groups.

(for
Name
attribute only)
begins with
—Filter the groups based on a partial match for the text you enter.
is equal to
—Filter the groups based on an exact match for text you enter.

Enter the text you want to use to filter the groups.

(Optional) Configure an additional filter by clicking

Add OR

and repeating the previous three steps for each filter you want to include.

When you configure additional attributes, the Cloud Identity Engine initially attempts to find a match for the first criteria in the configuration, then continues to attempt to match based on the additional criteria you specify.
Submit
your configuration to reconnect to the directory.