>
    Strata Copilot
    Cloud Identity Engine Attributes
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Manage the Cloud Identity Engine App
    4. Cloud Identity Engine Attributes
    Download PDF
    Identity

    Cloud Identity Engine Attributes

    Table of Contents

    Cloud Identity Engine Attributes

    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.
    An attribute is a unique identifier, such as a Distinguished Name, that correlates to a specific object in the directory, which can be a user, a computer, or another network entity. If your directory uses custom attributes that don’t use the following formats, specify the custom formats in the Cloud Identity Engine app (see Collect Custom Attributes with the Cloud Identity Engine).
    To provide granular context for security policies and event logging, the Cloud Identity Engine automatically collects a comprehensive set of default attributes from your configured directories. For on-premises solutions like Active Directory and OpenLDAP, this includes standard identifiers such as sAMAccountName, userPrincipalName, mail, and group memberships defined by memberOf. OpenLDAP specifically requires the entryUUID attribute to successfully identify objects.
    Cloud-based directories offer similar attribute mappings tailored to their specific schemas. For instance, Microsoft Entra ID (formerly Azure AD) synchronizes extensive user details, device compliance states, and role assignments to help prevent privilege escalation. Similarly, Okta and Google Directory integrations map fields like primaryEmail or nickName to standard Cloud Identity Engine attributes to ensure consistency across different identity providers. If you utilize the SCIM Connector, you gain further control by customizing exactly which attributes—such as enterprise_department—are provisioned to the engine. You can verify that these attributes are populating correctly by viewing the raw directory data within the Cloud Identity Engine app.
    Verify that your attributes are valid before attempting to sync the attributes. If one or more attributes are not valid, the initial sync isn’t successful.

    Cloud Identity Engine Attributes (Active Directory)

    Learn about On-Premise Active Directory attributes.
    You can collect the following types of default attributes and their associated On-Premise Active Directory fields:

    User Attributes

    Directory Sync AttributeDirectory Field
    Admin CountadminCount
    Common-Namecn
    CompanyNamecompanyName
    Countryco
    Departmentdepartment
    Distinguished Namedn
    GroupsmemberOf
    Last LoginlastLogon
    LastLogonTimelastLogonTimestamp
    Locationl
    MSDSAllowedDelegatedTomsDS-AllowedToDelegateTo
    MSDSAllowedToActOnBehalfOfOtherIdentitymsDS-AllowedToActOnBehalfOfOtherIdentity
    MSDSSupportedEncryptionTypesmsDS-SupportedEncryptionTypes
    Mail
    If you do not configure a value for the Mail attribute, the Cloud Identity Engine uses the value of the User Principal Name.
    		mail
    Managermanager
    NETBIOS NamenETBIOSName
    NamedisplayName
    Object ClassobjectClass
    Primary Group IDprimaryGroupID
    SAM Account NamesAMAccountName
    SIDobjectSid
    SID HistorysIDHistory
    Service Principal NameservicePrincipalName
    Titletitle
    Unique IdentifierobjectGUID
    User Principal NameuserPrincipalName
    UserAccountControluserAccountControl
    WhenChangedwhenChanged
    WhenCreatedwhenCreated

    Organizational Unit (OU) Attributes

    Directory Sync AttributeDirectory Field
    Canonical NamecanonicalName
    Common-Namecn
    Distinguished Namedn
    NamedisplayName
    Object ClassobjectClass
    Unique IdentifierobjectGUID
    When ChangedwhenChanged
    WhenCreatedwhenCreated

    Group Attributes

    Directory Sync AttributeDirectory Field
    Admin CountadminCount
    Common-Namecn
    Distinguished Namedn
    Group TypegroupType
    GroupsmemberOf
    Mail mail
    Membermember
    Namename
    Object ClassobjectClass
    SAM Account NamesAMAccountName
    SIDobjectSid
    Unique IdentifierobjectGUID
    WhenChangedwhenChanged
    WhenCreatedwhenCreated

    Container Attributes

    Directory Sync AttributeDirectory Field
    Canonical NamecanonicalName
    Common-Namecn
    Distinguished Namedn
    Domaindomain
    NamedisplayName
    Object ClassobjectClass
    Unique IdentifierobjectGUID
    WhenChangedwhenChanged
    WhenCreatedwhenCreated

    Computer Attributes

    Directory Sync AttributeDirectory Field
    Admin CountadminCount
    Common-Namecn
    Distinguished Namedn
    GroupsmemberOf
    HostID_hostId
    Host NamedNSHostName
    Last LoginlastLogon
    LastActiveDaysAgolastActiveDaysAgo
    LastLogonTimelastLogonTimestamp
    MSDSAllowedDelegatedTomsDS-AllowedToDelegateTo
    MSDSAllowedToActOnBehalfOfOtherIdentitymsDS-AllowedToActOnBehalfOfOtherIdentity
    MSDSSupportedEncryptionTypesmsDS-SupportedEncryptionTypes
    NETBIOS NamenETBIOSName
    NamedisplayName
    OSoperatingSystem
    OSServicePackoperatingSystemServicePack
    OSVersionoperatingSystemVersion
    Object ClassobjectClass
    Primary Group IDprimaryGroupID
    SAM Account NamesAMAccountName
    SIDobjectSid
    SID HistorysIDHistory
    Serial NumberserialNumber
    Service Principal NameservicePrincipalName
    Unique IdentifierobjectGUID
    User Principal NameuserPrincipalName
    UserAccountControluserAccountControl
    WhenChangedwhenChanged
    WhenCreatedwhenCreated

    Cloud Identity Engine Attributes (OpenLDAP)

    Learn about OpenLDAP attributes.
    You can collect the following types of default attributes and their associated Active Directory fields:

    User Attributes

    Directory Sync AttributeOpenLDAP Directory Field
    Common-Namecn
    Countryco
    Departmentdepartment
    Distinguished Namedn
    GroupsmemberOf
    Last LoginlastLogon
    LastLogonTimelastLogonTimestamp
    Locationl
    Mail
    If you do not configure a value for the Mail attribute, the Cloud Identity Engine uses the value of the User Principal Name.
    		mail
    Managermanager
    NamedisplayName
    Object ClassobjectClass
    SAM Account NamesAMAccountName
    SIDobjectSid
    Titletitle
    Unique Identifier
    entryUUID
    OpenLDAP requires this attribute.
    User Principal NameuserPrincipalName
    WhenChangedmodifyTimestamp
    WhenCreatedcreateTimestamp

    Organizational Unit (OU) Attributes

    Directory Sync AttributeOpenLDAP Directory Field
    Canonical NamecanonicalName
    Common-Namecn
    Distinguished Namedn
    NamedisplayName
    Object ClassobjectClass
    Unique IdentifierentryUUID
    WhenChangedmodifyTimestamp
    WhenCreatedcreateTimestamp

    Group Attributes

    Directory Sync AttributeOpenLDAP Directory Field
    Common-Namecn
    Distinguished Namedn
    Group TypegroupType
    GroupsmemberOf
    Mail mail
    MemberuniqueMember
    Namename
    Object Class
    objectClass
    For OpenLDAP, the groups' objectClass must be groupOfUniqueNames.
    Unique IdentifierentryUUID
    WhenChangedmodifyTimestamp
    WhenCreatedcreateTimestamp

    Container Attributes

    Directory Sync AttributeOpenLDAP Directory Field
    Canonical NamecanonicalName
    Common-Namecn
    Distinguished Namedn
    Domaindomain
    NamedisplayName
    Object ClassobjectClass
    Unique IdentifierentryUUID
    WhenChangedmodifyTimestamp
    WhenCreatedcreateTimestamp

    Computer Attributes

    Directory Sync AttributeOpenLDAP Field
    Common-Namecn
    Distinguished Namedn
    GroupsmemberOf
    HostNamedNSHostName
    Last LoginlastLogon
    LastLogonTimelastLogonTimestamp
    NETBIOS NamenETBIOSName
    NamedisplayName
    OSoperatingSystem
    OSServicePackoperatingSystemServicePack
    OSVersionoperatingSystemVersion
    Object ClassobjectClass
    Primary Group IDprimaryGroupID
    SAM Account NamesAMAccountName
    SIDobjectSid
    Serial NumberserialNumber
    Unique IdentifierentryUUID
    User Principal NameuserPrincipalName
    User Account ControluserAccountControl
    WhenChangedmodifyTimestamp
    WhenCreated createTimestamp

    Cloud Identity Engine Attributes (Azure)

    Learn about Entra-ID / Azure attributes.
    You can collect the following types of default attributes and their associated Active Directory fields:

    User Attributes

    Directory Sync AttributeDirectory Field
    BusinessPhonesbusinessPhones
    CompanyNamecompanyName
    Countrycountry
    Departmentdepartment
    EmployeeIdemployeeId
    FaxNumberfaxNumber
    Given NamegivenName
    GroupsmemberOf
    IsResourceAccountisResourceAccount
    LastPasswordChangeDateTimelastPasswordChangeDateTime
    LocationofficeLocation
    Mail
    If you do not configure a value for the Mail attribute, the Cloud Identity Engine uses the value of the User Principal Name.
    		mail
    Managermanager
    MobilePhonemobilePhone
    NamedisplayName
    OnPremisesDistinguishedNameonPremisesDistinguishedName
    OnPremisesDomainNameonPremisesDomainName
    OnPremisesExtensionAttributesonPremisesExtensionAttributes
    OnPremisesImmutableIdonPremisesImmutableId
    OnPremisesLastSyncDataTimeonPremisesLastSyncDateTime
    OnPremisesProvisioningErrorsonPremisesProvisioningErrors
    OnPremisesSamAccountNameonPremisesSamAccountName
    OnPremisesSyncEnabledonPremisesSyncEnabled
    OtherMailsotherMails
    PasswordPoliciespasswordPolicies
    PasswordProfilepasswordProfile
    PostalCodepostalCode
    PreferredLanguagepreferredLanguage
    SignInSessionsValidFromDateTimesignInSessionsValidFromDateTime
    Statestate
    StreetAddressstreetAddress
    Sur Namesurname
    TitlejobTitle
    Unique IdentifierobjectGUID
    UsageLocationusageLocation
    User Principal NameuserPrincipalName
    UserAccountControlaccountEnabled
    UserTypeuserType
    createdDateTimecreatedDateTime
    onPremisesSecurityIdentifieronPremisesSecurityIdentifier
    onPremisesUserPrincipalNameonPremisesUserPrincipalName

    Role Assignments Attributes

    The Cloud Identity Engine only collects these attributes if you select the Collect Roles and Administrators (Administrative roles) option when you set up your Azure directory.
    Directory Sync AttributeDirectory Field
    Descriptiondescription
    Is BuiltinisBuiltIn
    Is EnabledisEnabled
    NamedisplayName
    Role PermissionsrolePermissions
    Template IdtemplateId
    Unique IdentifierobjectGUID

    Group Attributes

    Directory Sync AttributeDirectory Field
    Classificationclassification
    DeletedDateTimedeletedDateTime
    Descriptiondescription
    Group TypegroupTypes
    GroupsmemberOf
    Mail mail
    Mail Nick NamemailNickname
    MailEnabledmailEnabled
    Membermember
    NamedisplayName
    OnPremisesDomainNameonPremisesDomainName
    OnPremisesLastSyncDateTimeonPremisesLastSyncDateTime
    OnPremisesProvisioningErrorsonPremisesProvisioningErrors
    OnPremisesSecurityIdentifieronPremisesSecurityIdentifier
    OnPremisesSyncEnabledonPremisesSyncEnabled
    RenewedDateTimerenewedDateTime
    SAM Account NameonPremisesSamAccountName
    SIDsecurityIdentifier
    SecurityEnabledsecurityEnabled
    Unique IdentifierobjectGUID
    Visibilityvisibility
    createdDateTimecreatedDateTime

    Computer Attributes

    Directory Sync AttributeDirectory Field
    ComplianceExpirationDateTimecomplianceExpirationDateTime
    Device ID deviceId
    GroupsmemberOf
    IsCompliantisCompliant
    IsManagedisManaged
    LastLogonTimeapproximateLastSignInDateTime
    Manufacturermanufacturer
    MdmAppIdmdmAppId
    Modelmodel
    NamedisplayName
    OSoperatingSystem
    OSVersionoperatingSystemVersion
    ProfileTypeprofileType
    Serial NumberdeviceId
    SystemLabelssystemLabels
    TrustTypetrustType
    Unique IdentifierobjectGUID
    UserAccountControlaccountEnabled
    createdDateTimecreatedDateTime

    Application Attributes

    Directory Sync AttributeDirectory Field
    App IdappId
    App RolesappRoles
    Application TemplateIdapplicationTemplateId
    Descriptiondescription
    DisabledByMicrosoftStatusdisabledByMicrosoftStatus
    Identifier UrisidentifierUris
    NamedisplayName
    Unique IdentifierobjectGUID
    createdDateTimecreatedDateTime
    webweb

    Cloud Identity Engine Attributes (SCIM)

    Learn about SCIM attributes.
    You can collect the following types of default attributes and their associated SCIM Connector fields:

    User Attributes

    The following section lists the default attributes for users that the directory provisions to Directory Sync using SCIM.
    Directory Sync AttributeSCIM Field
    Common-Namename_formatted
    CompanyNameaddresses_work_formatted
    Countryaddresses_work_country
    Departmententerprise_department
    EmployeeIdenterprise_employeeNumber
    FaxNumberphoneNumbers_fax_value
    Given Namename_firstName
    Groupsgroups
    Locationaddresses_work_locality
    Mail
    If you do not configure a value for the Mail attribute, the Cloud Identity Engine uses the value of the User Principal Name.
    		emails_work_value
    MobilePhonephoneNumbers_mobile_value
    NamedisplayName
    PostalCodeaddresses_work_postalCode
    PreferredLanguagepreferredLanguage
    PreferredNamenickName
    StreetAddressaddresses_work_streetAddress
    Sur Namename_familyName
    Titletitle
    Unique IdentifierobjectGUID
    User Principal NameuserName
    UserTypeuserType
    The SCIM gallery app does not support the userType attribute.
    createdDateTimemeta_created

    Group Attributes

    The following section lists the default attributes for groups that the directory provisions to Directory Sync using SCIM.
    Group names for the displayName attribute must be unique. For more information, refer to Troubleshoot Cloud Identity Engine Issues.
    Directory Sync AttributeSCIM Field
    DescriptiondisplayName
    Group TypegroupTypes
    Membermembers
    NamedisplayName
    Unique IdentifierobjectGUID
    createdDateTimemeta_created

    Cloud Identity Engine Attributes (Okta)

    Learn about Okta attributes.
    You can collect the following types of default attributes and their associated Okta Directory fields:

    User Attributes

    Directory Sync AttributeOkta Directory Fields
    Citycity
    CompanyNamecompanyName
    CountrycountryCode
    Departmentdepartment
    Distinguished Namedn
    EmployeeIdemployeeNumber
    Given NamefirstName
    GroupsmemberOf
    Last LoginlastLogin
    LastPasswordChangeDateTimepasswordChanged
    Mail
    If you do not configure a value for the Mail attribute, the Cloud Identity Engine uses the value of the User Principal Name.
    		email
    ManagermanagerDN
    MobilePhonemobilePhone
    NamedisplayName
    PostalCodezipCode
    PreferredLanguagepreferredlanguage
    PreferredNamenickName
    Primary Group IDprimaryGroupID
    SIDobjectSid
    Statestate
    StreetAddressstreetAddress
    Sur NamelastName
    Titletitle
    Unique IdentifierobjectGUID
    User Principal NameuserName
    UserAccountControlstatus
    UserTypeuserType
    createdDateTimecreated

    Group Attributes

    Directory Sync AttributeOkta Directory Fields
    Descriptiondescription
    Group TypegroupTypes
    GroupsmemberOf
    Membermember
    Namename
    SAM Account NamesamAccountName
    SIDobjectSid
    Unique IdentifierobjectGUID
    createdDateTimecreated

    Application Attributes

    Directory Sync AttributeOkta Directory Field
    App IdappId
    Client Uriclient_uri
    Descriptiondescription
    NamedisplayName
    Unique IdentifierobjectGUID

    Cloud Identity Engine Attributes (Google)

    Learn about Google attributes.
    To identify users and apply security policy, the Cloud Identity Engine collects the following attributes from Google Directory:

    User Attributes

    Directory Sync AttributeGoogle Directory Field
    BusinessPhonesphones
    Countrycountry
    Given NamegivenName
    GroupsmemberOf
    LastLogonTimelastLoginTime
    Locationlocations.area
    Mail
    If you do not configure a value for the Mail attribute, the Cloud Identity Engine uses the value of the User Principal Name.
    		primaryEmail
    NamefullName
    OtherMailsemails
    PreferredLanguagelanguages
    SIDid
    Statestate
    StreetAddressstreetAddress
    Sur NamefamilyName
    Titletitle
    Unique IdentifierobjectGUID
    User Principal NameuserName
    UserAccountControlsuspended
    UserTypeisAdmin
    createdDateTimecreationTime

    Organizational Unit (OU) Attributes

    Directory Sync AttributeGoogle Directory Field
    Descriptiondescription
    Namename
    Unique IdentifierobjectGUID

    Group Attributes

    Directory Sync AttributeGoogle Directory Field
    Group Typekind
    GroupsmemberOf
    Mail email
    Membermember
    Namename
    SIDid
    Unique IdentifierobjectGUID

    Computer Attributes

    Directory Sync AttributeGoogle Directory Field
    GroupsmemberOf
    HostNamedNSHostName
    Last LoginlastLogon
    LastLogonTimelastLogonTimestamp
    NETBIOS NamenETBIOSName
    OSoperatingSystem
    OSServicePackoperatingSystemServicePack
    OSVersionoperatingSystemVersion
    Primary Group IDprimaryGroupID
    SIDdeviceId
    SID HistorysIDHistory
    Serial NumberserialNumber
    Service Principal NameservicePrincipalName
    Unique IdentifierobjectGUID
    User Principal NameuserPrincipalName
    UserAccountControlstatus

    © 2026 Palo Alto Networks, Inc. All rights reserved.