>
    Strata Copilot
    Cloud Identity Engine Licensing
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Get Started with Cloud Identity Engine
    4. Cloud Identity Engine Licensing
    Download PDF
    Identity

    Cloud Identity Engine Licensing

    Table of Contents

    Cloud Identity Engine Licensing

    Learn about Cloud Identity Engine licensing.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		See requirements below.
    The Cloud Identity Engine is designed as a core infrastructure component to facilitate Zero Trust and is generally available at no additional cost to Palo Alto Networks customers. It does not require a standalone subscription license or an authorization code for activation.

    Core Service Availability

    The full feature set of the Cloud Identity Engine—including Directory Sync and the Cloud Authentication Service—is included as a free core feature for the following platforms:
    • Next-Generation Firewalls (Hardware and Virtual): Available for PA-Series and VM-Series firewalls running PAN-OS 10.1 and later.
    • Panorama: Available for management platforms running PAN-OS 10.1 and later.
    • Prisma Access: Available for Strata Cloud Manager managed or Panorama managed Prisma Access running any software version with the Panorama plugin.
    • Strata Cloud Manager: The service is integrated into Strata Cloud Manager, with availability depending on the licenses held (e.g., Prisma Access, AIOps for NGFW Premium, or Strata Cloud Manager Essentials/Pro).

    Required Roles

    To activate, configure, and manage the Cloud Identity Engine within the Palo Alto Networks Hub (Common Services), you must assign specific app roles to your administrators. These roles determine the level of access users have to tenant management, directory data, and secrets configuration.

    Feature Specific Licensing

    While the Cloud Identity Engine service itself is free, specific advanced features or integrations may require licenses on the associated enforcement points:
    • Third-Party Device-ID: To utilize APIs for managing IP address-to-device mappings or to configure Third-Party Device-ID in Prisma Access, a Device Security license is required in addition to a Prisma Access license.
    • Dynamic Privilege Access (DPA): This feature, which allows for project-based resource isolation, requires a Prisma Access license and must be activated by your account representative.
    • Data Security & DLP: Features involving Enterprise DLP or Next-Generation CASB integrations require their respective licenses (e.g., Enterprise DLP, CASB-X) to be active on the associated tenant.

    Activation

    You can activate the Cloud Identity Engine directly through the Palo Alto Networks Hub without an authorization code. During the onboarding process, you may be asked to claim licenses for other products (like Prisma Access), but the Cloud Identity Engine itself does not require a specific claim code.
    To start planning your Cloud Identity Engine deployment, click here.

    © 2026 Palo Alto Networks, Inc. All rights reserved.