>
    Strata Copilot
    Install the Cloud Identity Agent
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Identify Users and Devices with Cloud Identity Engine
    4. Configure Directories for User Identification
    5. Configure an On-Premises Directory
    6. Install the Cloud Identity Agent
    Download PDF
    Identity

    Install the Cloud Identity Agent

    Table of Contents

    Install the Cloud Identity Agent

    Learn how to download the Cloud Identity agent and install it on a supported Active Directory or OpenLDAP-based directory server.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.
    Before installing the Cloud Identity agent, verify that the time on the agent host is correct and synced to a valid NTP server. If the time on the server host is incorrect, the Cloud Identity Engine may not be able to sync your directory attributes successfully.
    After you activate your Cloud Identity Engine tenant, download the Cloud Identity agent from the Cloud Identity Engine app on the hub and install it on a supported directory server. Palo Alto Networks strongly recommends using TLS 1.3. If TLS 1.2 is not already enabled on the Windows server that will host the agent, install the update to enable TLS 1.2 before you install the agent.
    Because the User-ID agent and the Cloud Identity agent require the same port, you must use a dedicated host for each agent type. Do not install both agent types on the same host.
    1. Log in to the hub and select the Cloud Identity Engine app.
    2. Select Directories then click Add New Directory.
    3. Set Up an On-Premises Directory.
    4. Click Download Agent.
    5. When the download is complete, open the DaInstall.msi installation file for the agent on the Windows server where you plan to install the agent.
      For a list of supported servers, see the Cloud Identity Engine system requirements.
      If you are also using the Terminal Server (TS) agent, we recommend that you do not install the Cloud Identity agent on the same host as the TS agent. If you must install both agents on the same host, you must change the default listening port on the TS agent.
    6. Follow the prompts in the installation wizard to install the agent.
    7. Navigate to the location of the Cloud Identity agent.
      The default location is C:\Program Files (x86)\Palo Alto Networks\Cloud Identity Agent\.
    8. Double-click the CloudIdAgentController.exe file to launch the Cloud Identity agent.
      Starting the agent also starts the Cloud Identity Engine, which runs in the background on the server hosting the Cloud Identity agent until you stop the connection to the Cloud Identity Engine.

    Next Steps

    © 2026 Palo Alto Networks, Inc. All rights reserved.