Cloud Identity Engine Attributes
Table of Contents
Expand all | Collapse all
- Get Help
Cloud Identity Engine Attributes
An attribute is a unique identifier, such as a Distinguished
Name, that correlates to a specific object in the directory, which
can be a user, a computer, or another network entity. If your directory
uses custom attributes that do not use the following formats, specify
the custom formats in the Cloud Identity Engine app (see Collect Custom Attributes with the Cloud Identity Engine).
On-Premises Active Directory
You can collect the following types of default attributes
and their associated Active Directory fields:
User Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Admin Count | adminCount |
Common-Name | cn |
CompanyName | companyName |
Country | co |
Department | department |
Distinguished Name | dn |
Groups | memberOf |
Last Login | lastLogon |
Last Logon Time | lastLogonTimestamp |
Location | l |
MSDSAllowedDelegatedTo | msDS-AllowedToDelegateTo |
MSDSAllowedToActOnBehalfOfOtherIdentity | msDS-AllowedToActOnBehalfOfOtherIdentity |
MSDSSupportedEncryptionTypes | msDS-SupportedEncryptionTypes |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | mail |
Manager | manager |
NETBIOS Name | nETBIOSName |
Name | displayName |
Object Class | objectClass |
Primary Group ID | primaryGroupID |
SAM Account Name | sAMAccountName |
SID | objectSid |
SID History | sIDHistory |
Service Principal Name | servicePrincipalName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userPrincipalName |
User Account Control | userAccountControl |
When Changed | whenChanged |
Organizational Unit (OU) Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Canonical Name | canonicalName |
Common-Name | cn |
Distinguished Name | dn |
Name | displayName |
Object Class | objectClass |
Unique Identifier | objectGUID |
When Changed | whenChanged |
Group Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Admin Count | adminCount |
Common-Name | cn |
Distinguished Name | dn |
Group Type | groupType |
Groups | memberOf |
Mail If you do not configure a value for
the Mail attribute, the Cloud
Identity Engine uses the value of the User
Principal Name . | mail |
Member | member |
Name | name |
Object Class | objectClass |
SAM Account Name | sAMAccountName |
SID | objectSid |
Unique Identifier | objectGUID |
When Changed | whenChanged |
WhenCreated | whenCreated |
Container Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Canonical Name | canonicalName |
Common-Name | cn |
Distinguished Name | dn |
Name | displayName |
Object Class | objectClass |
Unique Identifier | objectGUID |
WhenChanged | whenChanged |
WhenCreated | whenCreated |
Computer Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Admin Count | adminCount |
Common-Name | cn |
Distinguished Name | dn |
Groups | memberOf |
Host Name | dNSHostName |
Last Login | lastLogon |
Last Logon Time | lastLogonTimestamp |
MSDSAllowedDelegatedTo | msDS-AllowedToDelegateTo |
MSDSAllowedToActOnBehalfOfOtherIdentity | msDS-AllowedToActOnBehalfOfOtherIdentity |
MSDSSupportedEncryptionTypes | msDS-SupportedEncryptionTypes |
NETBIOS Name | nETBIOSName |
Name | displayName |
OS | operatingSystem |
OS Service Pack | operatingSystemServicePack |
OS Version | operatingSystemVersion |
Object Class | objectClass |
Primary Group ID | primaryGroupID |
SAM Account Name | sAMAccountName |
SID | objectSid |
SID History | sIDHistory |
Serial Number | serialNumber |
Service Principal Name | servicePrincipalName |
Unique Identifier | objectGUID |
User Principal Name | userPrincipalName |
UserAccountControl | userAccountControl |
WhenChanged | whenChanged |
WhenCreated | whenCreated |
Azure Active Directory
You can collect the following types of default attributes
and their associated Active Directory fields:
User Attributes
Palo Alto Networks Attribute | Azure Active Directory Field |
|---|---|
BusinessPhones | businessPhones |
CompanyName | companyName |
Country | country |
Department | department |
EmployeeId | employeeId |
FaxNumber | faxNumber |
Given Name | givenName |
Groups | memberOf |
IsResourceAccount | isResourceAccount |
LastPasswordChangeDateTime | lastPasswordChangeDateTime |
Location | officeLocation |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | mail |
Manager | manager |
MobilePhone | mobilePhone |
Name | displayName |
OnPremisesDistinguishedName | onPremisesDistinguishedName |
OnPremisesExtensionAttributes | onPremisesExtensionAttributes |
OnPremisesImmutableId | onPremisesImmutableId |
OnPremisesLastSyncDataTime | onPremisesLastSyncDateTime |
OnPremisesProvisioningErrors | onPremisesProvisioningErrors |
OnPremisesSamAccountName | onPremisesSamAccountName |
OnPremisesSyncEnabled | onPremisesSyncEnabled |
OtherMails | otherMails |
PasswordPolicies | passwordPolicies |
PasswordProfile | passwordProfile |
PostalCode | postalCode |
PreferredLanguage | preferredLanguage |
SignInSessionsValidFromDateTime | signInSessionsValidFromDateTime |
State | state |
StreetAddress | streetAddress |
Sur Name | surname |
Title | jobTitle |
Unique Identifier | objectGUID |
UsageLocation | usageLocation |
User Principals Name | userPrincipalName |
UserAccountControl | accountEnabled |
UserType | userType |
WhenChanged | createdDateTime |
onPremisesSecurityIdentifier | onPremisesSecurityIdentifier |
onPremisesUserPrincipalName | onPremisesUserPrincipalName |
Group Attributes
Palo Alto Networks Attribute | Azure Active Directory Field |
|---|---|
Classification | classification |
DeletedDateTime | deletedDateTime |
Description | description |
Group Type | groupTypes |
Groups | memberOf |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | mail |
Mail Nick Name | mailNickname |
MailEnabled | mailEnabled |
Member | member |
Name | displayName |
OnPremisesLastSyncDateTime | onPremisesLastSyncDateTime |
OnPremisesProvisioningErrors | onPremisesProvisioningErrors |
OnPremisesSecurityIdentifier | onPremisesSecurityIdentifier |
OnPremisesSyncEnabled | onPremisesSyncEnabled |
RenewedDateTime | renewedDateTime |
SAM Account Name | onPremisesSamAccountName |
SID | securityIdentifier |
SecurityEnabled | securityEnabled |
Unique Identifier | objectGUID |
Visibility | visibility |
WhenChanged | createdDateTime |
Computer Attributes
Palo Alto Networks Attribute | Azure Active Directory Field |
|---|---|
ComplianceExpirationDateTime | complianceExpirationDateTime |
Device ID | deviceId |
Groups | memberOf |
IsCompliant | isCompliant |
IsManaged | isManaged |
LastLogonTime | approximateLastSignInDateTime |
Manufacturer | manufacturer |
MdmAppId | mdmAppId |
Model | model |
Name | displayName |
OS | operatingSystem |
OSVersion | operatingSystemVersion |
Profile Type | profileType |
Serial Number | deviceId |
SystemLabels | systemLabels |
TrustType | trustType |
Unique Identifier | objectGUID |
UserAccountControl | accountEnabled |
WhenChanged | createdDateTime |
Application Attributes
Palo Alto Networks Attribute | Azure Active Directory Field |
|---|---|
App Id | appId |
App Roles | appRoles |
Description | description |
DisabledByMicrosoftStatus | disabledByMicrosoftStatus |
Identifier Uris | identifierUris |
Name | displayName |
Unique Identifier | objectGUID |
createdDateTime | createdDateTime |
web | web |
SCIM Directory
You can collect the following types of default attributes
and their associated SCIM Connector fields:
User Attributes
The following section lists the default attributes for
users that the directory provisions to Directory Sync using SCIM.
Palo Alto Networks Attribute | SCIM Directory Field |
|---|---|
Common-Name | name_formatted |
CompanyName | addresses_work_formatted |
Country | addresses_work_country |
Department | enterprise_department |
EmployeeId | enterprise_employeeNumber |
FaxNumber | phoneNumbers_fax_value |
Given Name | name_firstName |
Groups | groups |
Location | locale |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | emails_work_value |
MobilePhone | phoneNumbers_mobile_value |
Name | displayName |
PostalCode | addresses_work_postalCode |
PreferredLanguage | preferredLanguage |
PreferredName | nickName |
StreetAddress | addresses_work_streetAddress |
Sur Name | name_familyName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userName |
UserType | userType The SCIM gallery app does not support the
userType attribute. |
createdDateTime | meta_created |
Group Attributes
The following section lists the default attributes for
groups that the directory provisions to Directory Sync using SCIM.
Group names for the
displayName
attribute must
be unique. For more information, refer to Troubleshoot Cloud Identity Engine Issues.Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Description | displayName |
Group Type | groupTypes |
Member | members |
Name | displayName |
Unique Identifier | objectGUID |
createdDateTime | meta_created |
Okta Directory
You can collect the following types of default attributes
and their associated Okta Directory fields:
User Attributes
Palo Alto Networks Attribute | Okta Directory Fields |
|---|---|
City | city |
CompanyName | companyName |
Country | countryCode |
Department | department |
Distinguished Name | dn |
EmployeeId | employeeNumber |
Given Name | firstName |
Groups | memberOf |
Last Login | lastLogin |
LastPasswordChangeDateTime | passwordChanged |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | email |
Manager | managerDN |
MobilePhone | mobilePhone |
Name | displayName |
PostalCode | zipCode |
PreferredLanguage | preferredlanguage |
PreferredName | nickName |
Primary Group ID | primaryGroupID |
SID | objectSid |
State | state |
StreetAddress | streetAddress |
Sur Name | lastName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userName |
UserType | userType |
createdDateTime | created |
Group Attributes
Palo Alto Networks Attribute | Okta Directory Fields |
|---|---|
Description | description |
Group Type | groupTypes |
Groups | memberOf |
Member | member |
Name | name |
SAM Account Name | samAccountName |
SID | objectSid |
Unique Identifier | objectGUID |
createdDateTime | created |
Application Attributes
Palo Alto Networks Attribute | Okta Directory Field |
|---|---|
App Id | appId |
Description | description |
Name | displayName |
Unique Identifier | objectGUID |
Google Directory
To identify users and apply security policy, the Cloud
Identity Engine collects the following attributes from Google Directory:
User Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
BusinessPhones | phones |
Country | country |
Given Name | givenName |
Groups | memberOf |
Last Logon Time | lastLoginTime |
Location | locations.area |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | primaryEmail |
Name | fullName |
OtherMails | emails |
PreferredLanguage | languages |
SID | id |
State | state |
StreetAddress | streetAddress |
Sur Name | familyName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userName |
UserAccountControl | suspended |
UserType | isAdmin |
createdDateTime | creationTime |
Organizational Unit (OU) Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
Description | description |
Name | name |
Unique Identifier | objectGUID |
Group Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
Group Type | kind |
Groups | memberOf |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | email |
Member | member |
Name | name |
SID | id |
Unique Identifier | objectGUID |
Computer Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
Groups | memberOf |
HostName | dNSHostName |
Last Login | lastLogon |
LastLogonTime | lastLogonTimestamp |
NETBIOS Name | nETBIOSName |
OS | operatingSystem |
OSServicePack | operatingSystemServicePack |
OSVersion | operatingSystemVersion |
Primary Group ID | primaryGroupID |
SID | deviceId |
SID History | sIDHistory |
Serial Number | serialNumber |
Service Principal Name | servicePrincipalName |
Unique Identifier | objectGUID |
User Principal Name | userPrincipalName |
User Account Control | status |
On-Premises
OpenLDAP
You can collect the following types of default attributes
and their associated Active Directory fields:
User
Attributes
Palo Alto Networks Attribute | OpenLDAP Directory Field |
|---|---|
Common-Name | cn |
Country | co |
Department | department |
Distinguished Name | dn |
Groups | memberOf |
Last Login | lastLogon |
Last Logon Time | lastLogonTimestamp |
Location | l |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | mail |
Manager | manager |
Name | displayName |
Object Class | objectClass |
SAM Account Name | sAMAccountName |
SID | objectSid |
Title | title |
Unique Identifier | entryUUID |
User Principal Name | userPrincipalName |
WhenChanged | modifyTimestamp |
WhenCreated | createTimestamp |
Organizational
Unit (OU) Attributes
Palo Alto Networks Attribute | OpenLDAP Directory Field |
|---|---|
Canonical Name | canonicalName |
Common-Name | cn |
Distinguished Name | dn |
Name | displayName |
Object Class | objectClass |
Unique Identifier | entryUUID |
WhenChanged | modifyTimestamp |
WhenCreated | createTimestamp |
Group
Attributes
Palo Alto Networks Attribute | OpenLDAP Directory Field |
|---|---|
Common-Name | cn |
Distinguished Name | dn |
Group Type | groupType |
Groups | memberOf |
Mail If you do not configure a
value for the Mail attribute, the
Cloud Identity Engine uses the value of the User
Principal Name . | mail |
Member | uniqueMember |
Name | name |
Object Class | objectClass |
Unique Identifier | entryUUID |
WhenChanged | modifyTimestamp |
WhenCreated | createTimestamp |
Container
Attributes
Palo Alto Networks Attribute | OpenLDAP Directory Field |
|---|---|
Canonical Name | canonicalName |
Common-Name | cn |
Distinguished Name | dn |
Name | displayName |
Object Class | objectClass |
Unique Identifier | entryUUID |
WhenChanged | modifyTimestamp |
WhenCreated | createTimestamp |
Computer
Attributes
Palo Alto Networks Attribute | OpenLDAP Field |
|---|---|
Common-Name | cn |
Distinguished Name | dn |
Groups | memberOf |
Host Name | dNSHostName |
Last Login | lastLogon |
Last Logon Time | lastLogonTimestamp |
NETBIOS Name | nETBIOSName |
Name | displayName |
OS | operatingSystem |
OS Service Pack | operatingSystemServicePack |
OS Version | operatingSystemVersion |
Object Class | objectClass |
Primary Group ID | primaryGroupID |
SAM Account Name | sAMAccountName |
SID | objectSid |
Serial Number | serialNumber |
Unique Identifier | entryUUID |
User Principal Name | userPrincipalName |
User Account Control | userAccountControl |
WhenChanged | modifyTimestamp |
WhenCreated | createTimestamp |