Cloud Identity Engine Attributes
An attribute is a unique identifier, such as a Distinguished
Name, that correlates to a specific object in the directory, which
can be a user, a computer, or another network entity. If your directory
uses custom attributes that do not use the following formats, specify
the custom formats in the Cloud Identity Engine app (see Collect Custom Attributes with the Cloud Identity Engine).
On-Premises Active Directory
You can collect the following types of default attributes
and their associated Active Directory fields:
User Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Admin Count | adminCount |
Common-Name | cn |
Country | co |
Department | department |
Distinguished Name | dn |
Groups | memberOf |
Last Login | lastLogon |
Last Logon Time | lastLogonTimestamp |
Location | l |
MSDSAllowedDelegatedTo | msDS-AllowedToDelegateTo |
MSDSAllowedToActOnBehalfOfOtherIdentity | msDS-AllowedToActOnBehalfOfOtherIdentity |
MSDSSupportedEncryptionTypes | msDS-SupportedEncryptionTypes |
Mail | mail |
Manager | manager |
NETBIOS Name | nETBIOSName |
Name | displayName |
Object Class | objectClass |
Primary Group ID | primaryGroupID |
SAM Account Name | sAMAccountName |
SID | objectSid |
SID History | sIDHistory |
Service Principal Name | servicePrincipalName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userPrincipalName |
User Account Control | userAccountControl |
When Changed | whenChanged |
Organizational Unit (OU) Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Canonical Name | canonicalName |
Common-Name | cn |
Distinguished Name | dn |
Name | displayName |
Object Class | objectClass |
Unique Identifier | objectGUID |
When Changed | whenChanged |
Group Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Admin Count | adminCount |
Common-Name | cn |
Distinguished Name | dn |
Group Type | groupType |
Groups | memberOf |
Member | member |
Name | displayName |
Object Class | objectClass |
SAM Account Name | sAMAccountName |
SID | objectSid |
Unique Identifier | objectGUID |
When Changed | whenChanged |
Container Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Canonical Name | canonicalName |
Common-Name | cn |
Distinguished Name | dn |
Name | displayName |
Object Class | objectClass |
Unique Identifier | objectGUID |
When Changed | whenChanged |
Computer Attributes
Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Admin Count | adminCount |
Common-Name | cn |
Distinguished Name | dn |
Groups | memberOf |
Host Name | dNSHostName |
Last Login | lastLogon |
Last Logon Time | lastLogonTimestamp |
MSDSAllowedDelegatedTo | msDS-AllowedToDelegateTo |
MSDSAllowedToActOnBehalfOfOtherIdentity | msDS-AllowedToActOnBehalfOfOtherIdentity |
MSDSSupportedEncryptionTypes | msDS-SupportedEncryptionTypes |
NETBIOS Name | nETBIOSName |
Name | displayName |
OS | operatingSystem |
OS Service Pack | operatingSystemServicePack |
OS Version | operatingSystemVersion |
Object Class | objectClass |
Primary Group ID | primaryGroupID |
SAM Account Name | sAMAccountName |
SID | objectSid |
SID History | sIDHistory |
Serial Number | serialNumber |
Service Principal Name | servicePrincipalName |
Unique Identifier | objectGUID |
User Principal Name | userPrincipalName |
User Account Control | userAccountControl |
When Changed | whenChanged |
Azure Active Directory
You can collect the following types of default attributes
and their associated Active Directory fields:
User Attributes
Palo Alto Networks Attribute | Azure Active Directory Field |
|---|---|
AssignedLicenses | assignedLicenses |
AssignedPlans | AssignedPlans |
BusinessPhones | businessPhones |
CompanyName | companyName |
ConsentProvidedForMonitor | consentProvidedForMonitor |
Country | country |
Department | department |
EmployeeId | employeeId |
FaxNumber | faxNumber |
Given Name | givenName |
Groups | memberOf |
IsResourceAccount | isResourceAccount |
LastPasswordChangeDateTime | lastPasswordChangeDateTime |
LicenseAssignmentStates | licenseAssignmentStates |
Location | officeLocation |
Mail | mail |
MobilePhone | mobilePhone |
Name | displayName |
OnPremisesDistinguishedName | onPremisesDistinguishedName |
OnPremisesExtensionAttributes | onPremisesExtensionAttributes |
OnPremisesImmutableId | onPremisesImmutableId |
OnPremisesLastSyncDataTime | onPremisesLastSyncDateTime |
OnPremisesProvisioningErrors | onPremisesProvisioningErrors |
OnPremisesSamAccountName | onPremisesSamAccountName |
OnPremisesSyncEnabled | onPremisesSyncEnabled |
OtherMails | otherMails |
PasswordPolicies | passwordPolicies |
PasswordProfile | passwordProfile |
PostalCode | postalCode |
PreferredDataLocation | preferredDataLocation |
PreferredLanguage | preferredLanguage |
ProvisionedPlans | provisionedPlans |
ProxyAddresses | proxyAddresses |
SID | onPremisesSecurityIdentifier |
SignInSessionsValidFromDateTime | signInSessionsValidFromDateTime |
State | state |
StreetAddress | streetAddress |
Sur Name | surname |
Title | jobTitle |
Unique Identifier | objectGUID |
UsageLocation | usageLocation |
User Principals Name | userPrincipalName |
UserAccountControl | accountEnabled |
UserType | userType |
WhenChanged | createdDateTime |
onPremisesUserPrincipalName | onPremisesUserPrincipalName |
Group Attributes
Palo Alto Networks Attribute | Azure Active Directory Field |
|---|---|
Classification | classification |
DeletedDateTime | deletedDateTime |
Description | description |
Group Type | groupTypes |
Groups | memberOf |
Mail | mail |
Mail Nick Name | mailNickname |
MailEnabled | mailEnabled |
Member | member |
Name | displayName |
OnPremisesLastSyncDateTime | onPremisesLastSyncDateTime |
OnPremisesProvisioningErrors | onPremisesProvisioningErrors |
OnPremisesSecurityIdentifier | onPremisesSecurityIdentifier |
OnPremisesSyncEnabled | onPremisesSyncEnabled |
RenewedDateTime | renewedDateTime |
SAM Account Name | onPremisesSamAccountName |
SID | securityIdentifier |
SecurityEnabled | securityEnabled |
Unique Identifier | objectGUID |
Visibility | visibility |
WhenChanged | createdDateTime |
Computer Attributes
Palo Alto Networks Attribute | Azure Active Directory Field |
|---|---|
ComplianceExpirationDateTime | complianceExpirationDateTime |
Device ID | deviceId |
Groups | memberOf |
IsCompliant | isCompliant |
IsManaged | isManaged |
LastLogonTime | approximateLastSignInDateTime |
Manufacturer | manufacturer |
MdmAppId | mdmAppId |
Model | model |
Name | displayName |
OS | operatingSystem |
OSVersion | operatingSystemVersion |
Profile Type | profileType |
Serial Number | deviceId |
SystemLabels | systemLabels |
TrustType | trustType |
Unique Identifier | objectGUID |
UserAccountControl | accountEnabled |
WhenChanged | createdDateTime |
Azure AD SCIM Connector
You can collect the following types of default attributes
and their associated SCIM Connector fields:
User Attributes
The following section lists the default attributes for
users that the Azure AD provisions to Directory Sync using SCIM.
Palo Alto Networks Attribute | Azure SCIM Directory Field |
|---|---|
Common-Name | name_formatted |
Country | addresses_work_country |
Department | enterprise_department |
Employee ID | employeeNumber |
FaxNumber | phoneNumbers_fax_value |
Given Name | name_firstName |
Groups | groups |
Location | locale |
Mail | emails_work_value |
MobilePhone | phoneNumbers_mobile_value |
Name | displayName |
PostalCode | addresses_work_postalCode |
PreferredLanguage | preferredLanguage |
PreferredName | nickName |
StreetAddress | addresses_work_streetAddress |
Sur Name | name_familyName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userName |
UserType | userType |
createdDateTime | meta_created |
Group Attributes
The following section lists the default attributes for
groups that the Azure AD provisions to Directory Sync using SCIM.
Group names for the
displayName
attribute
must be unique. For more information, refer to Troubleshoot Cloud Identity Engine Issues.Palo Alto Networks Attribute | Active Directory Field |
|---|---|
Common-Name | displayName |
Description | displayName |
Member | members |
Name | displayName |
Unique Identifier | objectGUID |
createdDateTime | meta_created |
Okta Directory
You can collect the following types of default attributes
and their associated Okta Directory fields:
User Attributes
Palo Alto Networks Attribute | Okta Directory Fields |
|---|---|
City | city |
CompanyName | companyName |
Country | countryCode |
Department | department |
Distinguished Name | dn |
EmployeeId | employeeNumber |
Given Name | firstName |
Groups | memberOf |
Last Login | lastLogin |
LastPasswordChangeDateTime | passwordChanged |
Location | city |
Mail | email |
Manager | managerDN |
MobilePhone | mobilePhone |
Name | displayName |
PostalCode | zipCode |
PreferredLanguage | preferredlanguage |
PreferredName | nickName |
Primary Group ID | primaryGroupID |
SID | objectSid |
State | state |
StreetAddress | streetAddress |
Sur Name | lastName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userName |
UserAccountControl | activated |
UserType | userType |
WhenChanged | lastUpdated |
createdDateTime | created |
Group Attributes
Palo Alto Networks Attribute | Okta Directory Fields |
|---|---|
Description | description |
Group Type | groupTypes |
Groups | memberOf |
Member | member |
Name | name |
SAM Account Name | samAccountName |
SID | objectSid |
Unique Identifier | objectGUID |
WhenChanged | lastUpdated |
createdDateTime | created |
Google Directory
To identify users and apply security policy, the Cloud
Identity Engine collects the following attributes from Google Directory:
User Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
BusinessPhones | phones |
Country | country |
Given Name | givenName |
Groups | memberOf |
Last Logon Time | lastLoginTime |
Location | locations.area |
Mail | primaryEmail |
Name | fullName |
OtherMails | emails |
PreferredLanguage | languages |
SID | etag |
State | state |
StreetAddress | streetAddress |
Sur Name | familyName |
Title | title |
Unique Identifier | objectGUID |
User Principal Name | userName |
UserAccountControl | suspended |
UserType | isAdmin |
createdDateTime | creationTime |
Organizational Unit (OU) Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
Description | description |
Name | name |
Unique Identifier | objectGUID |
When Changed | whenChanged |
Group Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
Group Type | kind |
Groups | memberOf |
Mail | email |
Member | member |
Name | name |
SAM Account Name | sAMAccountName |
SID | etag |
Unique Identifier | objectGUID |
Computer Attributes
Palo Alto Networks Attribute | Google Directory Field |
|---|---|
Common-Name | cn |
Groups | memberOf |
HostName | dNSHostName |
Last Login | lastLogon |
LastLogonTime | lastLogonTimestamp |
NETBIOS Name | nETBIOSName |
Name | displayName |
OS | operatingSystem |
OSServicePack | operatingSystemServicePack |
OSVersion | operatingSystemVersion |
Object Class | objectClass |
Primary Group ID | primaryGroupID |
SAM Account Name | sAMAccountName |
SID | etag |
SID History | sIDHistory |
Serial Number | serialNumber |
Service Principal Name | servicePrincipalName |
Unique Identifier | objectGUID |
User Principal Name | userPrincipalName |
User Account Control | userAccountControl |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
