FAQ: Where are My App Tiles, Instances, Roles, and More
    : FAQ: Where are My App Tiles, Instances, Roles, and More
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. FAQ: Where are My App Tiles, Instances, Roles, and More
    4. FAQ: Where are My App Tiles, Instances, Roles, and More
    Download PDF

    FAQ: Where are My App Tiles, Instances, Roles, and More

    FAQ: Where are My App Tiles, Instances, Roles, and More

    Table of Contents

    FAQ: Where are My App Tiles, Instances, Roles, and More

    Frequently asked questions regarding changes to the hub, apps, subscription management, tenant management, tsg migration, identity and access management, and more.
    The following topics address frequently asked questions regarding changes to the hub, apps, subscription management, tenant management, identity and access management, and more. You might have different questions if you are moving to Strata Cloud Manager.

    What is the TSG migration?

    You have likely received information about the transition of your Prisma Access instance, Prisma SD-WAN instance, or other app instance to a tenant or Tenant Service Group (TSG) in the Strata Cloud Manager or the hub. The ultimate goal is to provide you with an integrated experience. A foundational step in that direction is tenant migration.
    The process of migrating Prisma Access app instances (for example) from a Customer Support Portal model to a tenant model is still in progress. Along with the Prisma Access instances, all their dependencies such as Strata Logging Service and Cloud Identity Engine (CIE) instances also get migrated. The tenant migration happens on a rolling basis, so Prisma Access & Prisma SD-WAN instances and dependent apps get migrated at different times. The app tiles remain on the original support account view of the hub as long as there are non-migrated instances in that Customer Support Portal. After all your instances are migrated, you no longer see the app tile on the hub. However, there is a button on the hub to navigate to your tenant on the Strata Multitenant Cloud Manager. There is also a new tenant view of the hub for your transitioned tenants.
    For apps in the tenant view, use Common Services for license activation, subscription management, tenant management, and identity and access management. There are a few ways to access Common Services and view apps by tenant:
    First Time ActivationStrata Multitenant Cloud ManagerTenant View of the hubAIOps for NGFW
    If you are activating a license for the first time, you are automatically directed to Common ServicesSubscription & Tenant Management during the activation process.
    If you have received information about the transition of your tenant to the Strata Multitenant Cloud Manager, you can access through sase.paloaltonetworks.com or through the original support account view of the hubStrata Multitenant Cloud Manager button Tenants and ServicesCommon ServicesSubscription & Tenant Management.
    To access Common Services directly from the hub, toggle to tenant view of the hubCommon Services Subscription & Tenant Management
    If you have received information about the transition of your AIOps instance to a tenant, you can access through AIOpsSettingsSubscription & Tenant Management.

    Where are my instances?

    The original support account view of the hub and the tenant view of the hub are two completely independent platforms and not just different UI themes. They use different authentication and authorization methods. A given instance can either be accessed from the support account view or the tenant view, but never from both.
    In the following example, Customer Support Portal Alvisofin Corp has multiple Strata Logging Service, Prisma Access, and CIE instances that are visible on the original support account view of the hub before migration. The two Prisma Access instances along with their dependent apps, Strata Logging Service and CIE, are then migrated to TSGs. After the migration, the migrated Prisma Access, Strata Logging Service, and CIE tenants will only show up on the tenant view of the hub, but the Alvisofin Corp Strata Logging Service - AU instance that was not associated with any Prisma Access instance is still only visible from the original support account view of the hub.

    Where is my list of support accounts?

    When Palo Alto Networks migrates an instance of an app to a tenant, it automatically creates a new TSG name where the TSG ID is appended to the Customer Support Portal name. If multiple Prisma Access instances or multiple app instances exist in the same Customer Support Portal support account, then multiple tenants are created. After the migration, in the tenant name list in the tenant view of the hub, there are now multiple entries with the Customer Support Portal name appended with the instance name and the new TSG ID.
    After the migration, the tenant name list looks as follows, pinned in the tenant view of the hub. You can dismiss the pin as well as pin it again. You can search for your tenants either by name or by ID.
    You can edit the tenant name from Common ServicesTenant ManagementTenant nameEdit Tenant.

    What is the replacement for the Explore app?

    The Explore app is designed for use with Customer Support Portal accounts, where you can switch between different Strata Logging Service and CIE instances within the same Customer Support Portal. The functionality is not available for TSGs. Since the TSG tenant is the data boundary, it is not allowed to view logs across tenants.
    As an alternative, you can use embedded Log Viewer in the Strata Multitenant Cloud Manager or the embedded Explore in Strata Logging Service.
    You can switch between products or tenants to see logs from different Strata Logging Service apps or CIE apps through the tenant, or launch different Strata Logging Service tenants from the tenant view of the hub.

    How do I generate the OTP or associate CIE?

    In the original support account view of the hub, the Panorama tile showed the Panorama instances for managing Prisma Access, but not the Panorama instances for managing the Next Generation Firewall (NGFW). Unlike other tiles in the original support account view of the hub, clicking on any of these Panorama tiles did not open the Panorama UI. There were two operations that you could do with the Panorama tiles:
    • Generate a One Time Password (OTP) for Panorama
    • Associate CIE to the Prisma Access instance it manages
    In the tenant view of the hub, there is no benefit in showing the Panorama tile, so it is removed. In the tenant view of the hub, a Prisma Access tenant is created for every Panorama-managed Prisma Access instance during the TSG migration. The CIE association with Prisma Access is automatically done either during migration or during onboarding. There is no need to explicitly associate CIE as it was previously done in the original support account view of the hub.
    The OTP can be generated during license activation for for Panorama-Managed or from Common ServicesTenant ManagementTenant nameGenerate OTP.

    Where are my roles?

    The original support account view of the hub and the tenant view of the hub have different authentication and authorization methods. The original support account view of the hub uses our RBAC based role access model, while the tenant view of the hub uses Common Services: Identity & Access Management (IAM) for access and role management.
    In the tenant view of the hub, the dependency on the Customer Support Portal and RBAC roles is removed. All users need a role in the IAM system to access TSGs and TSG-based tenants. When instances are migrated from the original support account view of the hub to the tenant view of the hub, all the users and their access permissions are also migrated to the IAM system. New IAM role names and permissions automatically get assigned, which are equivalent to the previous RBAC roles.
    Roles in the original support account view of the hub and the tenant view of the hub are not shared, and it is only during the initial instance migration that RBAC roles are migrated to IAM roles.
    For migrated tenants, existing users who had access before the migration will still have access after migration. But if new users need to be added to the tenants, different steps need to be followed to add user access. The admins who can add user access are those with Multitenant Superuser or IAM Administrator roles, depending on the app. Users in the tenant view of the hub are not required to be added to Customer Support Portal accounts unless needed to operate onboarding or offboarding tasks.
    You can see the users and roles from Common ServicesIdentity & accessAccess Management. Find out more about identity and access.
    App
    RBAC Role
    RBAC Scope
    IAM Roles
    IAM Scope
    N/A
    Account Administrator
    Support Account
    Superuser (Multitenant Superuser)
    TSG
    Any
    App Administrator
    App
    Superuser (Multitenant Superuser)
    App
    Instance Administrator
    App Instance
    Superuser (Multitenant Superuser)
    App
    Strata Logging Service
    Log Viewer Admin
    App Instance
    SOC Analyst
    App
    CIE
    Deployment Admin
    App Instance
    Deployment Administrator
    App
    IoT
    Owner
    App Instance
    Superuser (Multitenant Superuser)
    App
    Administrator
    App Instance
    Superuser (Multitenant Superuser)
    App
    Read-Only
    App Instance
    View Only Administrator
    App
    Deployment
    App Instance
    Deprecated
    Prisma Access
    Super Reader
    App Instance
    View Only Administrator
    App
    Audit Admin
    App Instance
    Auditor
    App
    Crypto Admin
    App Instance
    Deprecated
    Security Admin
    App Instance
    Security Administrator
    App
    Web Security Admin
    App Instance
    Web Security Administrator
    App
    Data Loss Prevention Admin
    App Instance
    Superuser (assigned to DLP app)
    App
    Data Security Admin
    App Instance
    Data Security Administrator
    App
    SaaS Admin
    App Instance
    Superuser (assigned to SaaS app)
    App
    Prisma SD-WAN
    esp_super + tenant_super + esp_machine_admin+ esp_admin
    App Instance
    Multitenant Superuser
    TSG
    tenant_super
    App Instance
    Superuser
    TSG (if the only app being migrated is Prisma SD-WAN, otherwise App)
    tenant_view_only
    App Instance
    View Only Administrator
    App
    tenant_iam_admin
    App Instance
    IAM Administrator
    TSG (if the only app being migrated is Prisma SD-WAN, otherwise App)
    esp_iam_admin + tenant_iam_admin
    App Instance
    Multitenant IAM Administrator
    TSG (if the only app being migrated is Prisma SD-WAN, otherwise App)
    tenant_network_admin
    App Instance
    Network Administrator
    App
    tenant_security_admin
    App Instance
    Security Administrator
    App

    Which applications are supported in the tenant view of the hub?

    Apps and add-ons with full TSG support (migration still in progress on a rolling basis):
    • Prisma Access (including Enterprise DLP and SaaS Security in Cloud-managed Prisma Access, including Prisma Access (Managed by Panorama))
    • Strata Logging Service
    • CIE
    • ELA with the AIOps for NGFW add-on or the IoT Security add-on
    • Prisma SD-WAN
    • AIOps
    • IoT Security
    Apps and add-ons that remain in the original support account view of the hub:
    • Prisma Cloud
    • SAAS Inline NGFW
    • XSOAR Marketplace
    Apps removed from the tenant view of the hub:
    • Explore

    © 2025 Palo Alto Networks, Inc. All rights reserved.