: Access and Identity enables you to add user access to the platform as
well as to the tenants you created.
If you are a
customer, you can use IP Session Lock for restricting access by
client source IP address and also for legacy API auth token purposes, but general
user management is done here.
A Palo Alto Networks Customer Support Account is only necessary for users who need to perform
onboarding tasks. Other users can be invited to use Palo Alto Networks single
sign on without Customer Support Accounts. Be aware that not all apps are fully
migrated to use Identity and Access, so still might
need to use Customer Support Accounts. However, If you integrate with a third party IDP for your
enterprise, you do not have to add user accounts explicitly in the platform as
they will be automatically added when they are successfully authenticated.
However, roles need to be assigned for all users. To ensure a seamless login and
authorization experience for your users, you can add users and assign roles for
them ahead of time.