Set Up an Entra ID Directory
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- View Mappings and Tags
- Configure Dynamic Privilege Access in the Cloud Identity Engine
- Send Cortex XDR Risk Signals to Okta
- Configure SSF Okta Receiver as a Risk Connection
- Configure the Secrets Vault
-
- Set Up Password Authentication
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Set Up a Client Certificate
- Configure an OIDC Authentication Type
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
- Get Help
Set Up an Entra ID Directory
Learn how to set up an Entra ID directory in the Cloud Identity Engine.
To
configure an Entra ID in the Cloud Identity Engine, you must have at least the
following role privileges in Entra ID:
- Application Administrator
- Cloud Application Administrator
For more information about roles in Azure AD, refer to the following link.
If you Configure Entra ID Using the CIE Enterprise App, the account you use must have the Global
Administrator Role to set up Azure. However, the app itself uses the Cloud
Application Administrator Role, not the Global Administrator Role.
To further reduce sync time and minimize the amount of
data collected by the Cloud Identity Engine, you can configure the Cloud Identity
Engine to sync only specific groups from your directory by filtering the groups.
Because SCIM is most suitable for small and frequent data requests, directory update
intervals are restricted by Microsoft to once every 40 minutes. If you choose to
filter the groups instead, directory updates can be as often as every 5 minutes.
Choose the best option for your deployment based on your organizational and
regulatory requirements.
For an Azure Active Directory (AD), the Cloud
Identity Engine retrieves updates from the directory using the following
schedule:
- Users, Groups, and Devices—When the Cloud Identity Engine syncs changes.
- Apps—Every x hours (where x is either a maximum of 3 hours or the duration necessary to complete the previous apps sync).
- Role Assignments—Every x hours (where x is either a maximum of 24 hours or the duration necessary to complete the previous role assignment sync).
When you configure an Azure
AD for the Cloud Identity Engine, log in, and grant the necessary permissions,
Microsoft automatically onboards the Cloud Identity Engine Enterprise App into your
Azure AD.