Manage: Cloud Identity Engine

Strata Cloud Manager

Manage: Cloud Identity Engine

Table of Contents

Manage: Cloud Identity Engine

Learn to manage your Cloud Identity Distribution in
Strata Cloud Manager
Where Can I Use This?
What Do I Need?
  • Strata Cloud Manager
  • Prisma Access
Cloud Identity Engine (Directory Sync) gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups.
Cloud Identity Engine works with both on-premises Active Directory and Azure Active Directory.
To set up Cloud Identity Engine with Prisma Access, start by going to the hub to activate Cloud Identity Engine and to add it to Prisma Access. Then go to Prisma Access to validate that Prisma Access is able to access directory data.
  1. Activate Cloud Identity Engine
    Cloud Identity Engine can share Active Directory information with any supported app on the hub. It’s free and does not require an auth code to get started. Cloud Identity Engine setup includes activating the Cloud Identity Engine app on the hub, configuring the Cloud Identity Engine agent to gather Active Directory mappings, and configuring mutual authentication between Cloud Identity and and the agent.
    Make sure to deploy the Cloud Identity Engine instance in the same region that you deployed Prisma Access and Cortex Data Lake.
  2. Enable Cloud Identity Engine for Prisma Access.
    You can associate Prisma Access with Cloud Identity Engine when you’re first activating Prisma Access or anytime after:
    • While you’re activating Prisma Access:
      When you first activate Cloud Managed Prisma Access, you can choose a Cloud Identity Engine instance for Prisma Access to use. Make sure to select an instance that is deployed in the same region as Prisma Access.
    • After you’ve activated Prisma Access:
      To enable Cloud Identity Engine for an existing Prisma Access instance, log in to the hub. From the hub settings dropdown (see the gear on the top menu bar), select
      Manage Apps
      . Find the Prisma Access instance you want to update, and select the Cloud Identity Engine instance you want Prisma Access to use.
  3. Confirm that Prisma Access is connected to Cloud Identity Engine, and that Cloud Identity Engine is sharing directory information with Prisma Access.
    • Check that you can see your directories in Prisma Access.
      Go to
      Identity Services
      Cloud Identity Engine
    • Verify that you can add users and groups to a policy rule.
      Security Services
      . In a security or decryption policy rule, check that the
      dropdown displays your Active Directory user and group entries. Now you can start adding these users and groups to your security and decryption policy rules.
      traffic that isn't being enforced as expected–check the status of specific firewalls to understand whether there’s a mismatch between expected policies (as configured) and enforced policies.

Recommended For You