Cloud Identity Engine Attributes

An attribute is a unique identifier, such as a Distinguished Name, that correlates to a specific object in the directory, which can be a user, a computer, or another network entity. If your directory uses custom attributes that do not use the following formats, specify the custom formats in the Cloud Identity Engine app (see Collect Custom Attributes with the Cloud Identity Engine).

On-Premises Active Directory

You can collect the following types of default attributes and their associated Active Directory fields:

User Attributes

Palo Alto Networks Attribute
Active Directory Field
Common-Name
cn
Country
co
Department
department
Distinguished Name
dn
Groups
memberOf
Last Login
lastLogon
Last Logon Time
lastLogonTimestamp
Location
l
MSDSAllowedDelegatedTo
msDS-AllowedToDelegateTo
MSDSAllowedToActOnBehalfOfOtherIdentity
msDS-AllowedToActOnBehalfOfOtherIdentity
MSDSSupportedEncryptionTypes
msDS-SupportedEncryptionTypes
Mail
mail
Manager
manager
NETBIOS Name
nETBIOSName
Name
displayName
Object Class
objectClass
Primary Group ID
primaryGroupID
SAM Account Name
sAMAccountName
SID
objectSid
SID History
sIDHistory
Service Principal Name
servicePrincipalName
Title
title
Unique Identifier
objectGUID
User Principal Name
userPrincipalName
User Account Control
userAccountControl
When Changed
whenChanged

Organizational Unit (OU) Attributes

Palo Alto Networks Attribute
Active Directory Field
Canonical Name
canonicalName
Common-Name
cn
Distinguished Name
dn
Name
displayName
Object Class
objectClass
Unique Identifier
objectGUID
When Changed
whenChanged

Group Attributes

Palo Alto Networks Attribute
Active Directory Field
Common-Name
cn
Distinguished Name
dn
Group Type
groupType
Groups
memberOf
Member
member
Name
displayName
Object Class
objectClass
SAM Account Name
sAMAccountName
SID
objectSid
Unique Identifier
objectGUID
When Changed
whenChanged

Container Attributes

Palo Alto Networks Attribute
Active Directory Field
Canonical Name
canonicalName
Common-Name
cn
Distinguished Name
dn
Name
displayName
Object Class
objectClass
Unique Identifier
objectGUID
When Changed
whenChanged

Computer Attributes

Palo Alto Networks Attribute
Active Directory Field
Common-Name
cn
Distinguished Name
dn
Groups
memberOf
Host Name
dNSHostName
Last Login
lastLogon
Last Logon Time
lastLogonTimestamp
MSDSAllowedDelegatedTo
msDS-AllowedToDelegateTo
MSDSAllowedToActOnBehalfOfOtherIdentity
msDS-AllowedToActOnBehalfOfOtherIdentity
MSDSSupportedEncryptionTypes
msDS-SupportedEncryptionTypes
NETBIOS Name
nETBIOSName
Name
displayName
OS
operatingSystem
OS Service Pack
operatingSystemServicePack
OS Version
operatingSystemVersion
Object Class
objectClass
Primary Group ID
primaryGroupID
SAM Account Name
sAMAccountName
SID
objectSid
SID History
sIDHistory
Serial Number
serialNumber
Service Principal Name
servicePrincipalName
Unique Identifier
objectGUID
User Principal Name
userPrincipalName
User Account Control
userAccountControl
When Changed
whenChanged

Azure Active Directory

You can collect the following types of default attributes and their associated Active Directory fields:

User Attributes

Palo Alto Networks Attribute
Azure Active Directory Field
AssignedLicenses
assignedLicenses
AssignedPlans
AssignedPlans
BusinessPhones
businessPhones
CompanyName
companyName
ConsentProvidedForMonitor
consentProvidedForMonitor
Country
country
Department
department
EmployeeId
employeeId
FaxNumber
faxNumber
Given Name
givenName
Groups
memberOf
IsResourceAccount
isResourceAccount
LastPasswordChangeDateTime
lastPasswordChangeDateTime
LicenseAssignmentStates
licenseAssignmentStates
Location
officeLocation
Mail
mail
MobilePhone
mobilePhone
Name
displayName
OnPremisesDistinguishedName
onPremisesDistinguishedName
OnPremisesExtensionAttributes
onPremisesExtensionAttributes
OnPremisesImmutableId
onPremisesImmutableId
OnPremisesLastSyncDataTime
onPremisesLastSyncDateTime
OnPremisesProvisioningErrors
onPremisesProvisioningErrors
OnPremisesSamAccountName
onPremisesSamAccountName
OnPremisesSyncEnabled
onPremisesSyncEnabled
OtherMails
otherMails
PasswordPolicies
passwordPolicies
PasswordProfile
passwordProfile
PostalCode
postalCode
PreferredDataLocation
preferredDataLocation
PreferredLanguage
preferredLanguage
ProvisionedPlans
provisionedPlans
ProxyAddresses
proxyAddresses
SID
onPremisesSecurityIdentifier
SignInSessionsValidFromDateTime
signInSessionsValidFromDateTime
State
state
StreetAddress
streetAddress
Sur Name
surname
Title
jobTitle
Unique Identifier
objectGUID
UsageLocation
usageLocation
User Principals Name
userPrincipalName
UserAccountControl
accountEnabled
UserType
userType
WhenChanged
createdDateTime
onPremisesUserPrincipalName
onPremisesUserPrincipalName

Group Attributes

Palo Alto Networks Attribute
Azure Active Directory Field
Classification
classification
DeletedDateTime
deletedDateTime
Description
description
Group Type
groupTypes
Groups
memberOf
Mail
mail
Mail Nick Name
mailNickname
MailEnabled
mailEnabled
Member
member
Name
displayName
OnPremisesLastSyncDateTime
onPremisesLastSyncDateTime
OnPremisesProvisioningErrors
onPremisesProvisioningErrors
OnPremisesSecurityIdentifier
onPremisesSecurityIdentifier
OnPremisesSyncEnabled
onPremisesSyncEnabled
RenewedDateTime
renewedDateTime
SAM Account Name
onPremisesSamAccountName
SID
securityIdentifier
SecurityEnabled
securityEnabled
Unique Identifier
objectGUID
Visibility
visibility
WhenChanged
createdDateTime

Computer Attributes

Palo Alto Networks Attribute
Azure Active Directory Field
ComplianceExpirationDateTime
complianceExpirationDateTime
Device ID
deviceId
Groups
memberOf
IsCompliant
isCompliant
IsManaged
isManaged
LastLogonTime
approximateLastSignInDateTime
Manufacturer
manufacturer
MdmAppId
mdmAppId
Model
model
Name
displayName
OS
operatingSystem
OSVersion
operatingSystemVersion
Profile Type
profileType
Serial Number
deviceId
SystemLabels
systemLabels
TrustType
trustType
Unique Identifier
objectGUID
UserAccountControl
accountEnabled
WhenChanged
createdDateTime

Okta Directory

You can collect the following types of default attributes and their associated Okta Directory fields:

User Attributes

Palo Alto Networks Attribute
Okta Directory Fields
City
city
CompanyName
companyName
Country
countryCode
Department
department
Distinguished Name
dn
EmployeeId
employeeNumber
Given Name
firstName
Groups
memberOf
Last Login
lastLogin
LastPasswordChangeDateTime
passwordChanged
Location
city
Mail
email
Manager
managerDN
MobilePhone
mobilePhone
Name
displayName
PostalCode
zipCode
PreferredLanguage
preferredlanguage
PreferredName
nickName
Primary Group ID
primaryGroupID
SID
objectSid
State
state
StreetAddress
streetAddress
Sur Name
lastName
Title
title
Unique Identifier
objectGUID
User Principal Name
userName
UserAccountControl
activated
UserType
userType
WhenChanged
lastUpdated
createdDateTime
created

Group Attributes

Palo Alto Networks Attribute
Okta Directory Fields
Description
description
Group Type
groupTypes
Groups
memberOf
Member
member
Name
name
SAM Account Name
samAccountName
SID
objectSid
Unique Identifier
objectGUID
WhenChanged
lastUpdated
createdDateTime
created

Google Directory

To identify users and apply security policy, the Cloud Identity Engine collects the following attributes from Google Directory:

User Attributes

Palo Alto Networks Attribute
Google Directory Field
BusinessPhones
phones
Country
country
Given Name
givenName
Groups
memberOf
Last Logon Time
lastLoginTime
Location
locations
Mail
primaryEmail
Name
fullName
OtherMails
emails
PreferredLanguage
languages
SID
etag
State
state
StreetAddress
streetAddress
Sur Name
familyName
Title
title
Unique Identifier
objectGUID
User Principal Name
userName
UserAccountControl
suspended
UserType
isAdmin
createdDateTime
creationTime

Organizational Unit (OU) Attributes

Palo Alto Networks Attribute
Google Directory Field
Description
description
Name
name
Unique Identifier
objectGUID
When Changed
whenChanged

Group Attributes

Palo Alto Networks Attribute
Google Directory Field
Group Type
kind
Groups
memberOf
Mail
email
Member
member
Name
name
SAM Account Name
sAMAccountName
SID
etag
Unique Identifier
objectGUID

Computer Attributes

Palo Alto Networks Attribute
Google Directory Field
Common-Name
cn
Groups
memberOf
HostName
dNSHostName
Last Login
lastLogon
LastLogonTime
lastLogonTimestamp
NETBIOS Name
nETBIOSName
Name
displayName
OS
operatingSystem
OSServicePack
operatingSystemServicePack
OSVersion
operatingSystemVersion
Object Class
objectClass
Primary Group ID
primaryGroupID
SAM Account Name
sAMAccountName
SID
etag
SID History
sIDHistory
Serial Number
serialNumber
Service Principal Name
servicePrincipalName
Unique Identifier
objectGUID
User Principal Name
userPrincipalName
User Account Control
userAccountControl

Recommended For You