Welcome to the Cloud Identity Engine! The Cloud Identity Engine provides a centralized, cloud-native source of truth for user identity and authentication, enabling your organization to move toward a Zero Trust security posture. By aggregating and normalizing identity data from on-premises, cloud-based, and hybrid infrastructures, the service allows you to enforce consistent security policies based on users and groups rather than IP addresses,. This ensures that security decisions remain accurate and effective across data centers, campuses, public clouds, and remote user environments.

Deployment begins with planning your architecture, specifically selecting the appropriate region to ensure compliance with data residency regulations and defining the visibility scope to control firewall access to your tenants. Next, you activate the service within the Palo Alto Networks Hub to provision your tenant and prepare for synchronization. You then set up your identity sources by installing the Cloud Identity Agent for on-premises directories or establishing secure API connections for cloud-based providers like Microsoft Entra ID and Okta. Finally, you associate the Cloud Identity Engine with your Palo Alto Networks applications, such as Prisma Access or Next-Generation Firewalls, to enable them to consume identity data for policy enforcement.