Successful implementation of the Cloud Identity Engine begins with evaluating your infrastructure to ensure it meets the necessary connectivity and architectural requirements. Before activating tenants or installing agents, you must configure your network to allow specific traffic between your directory sources, the Cloud Identity Agent, and the cloud service. This includes allowing traffic to region-specific hostnames and ensuring that required ports—such as port 80 for certificate verification and port 443 for secure TLS communication—are open.

You must also prepare your directory domains for integration. For on-premises Active Directory, this involves provisioning a service account with permissions to execute LDAP queries against all target domains and planning agent placement to ensure redundancy if a domain controller becomes unavailable.

Strategic planning also requires defining the scope of your deployment. You must select a Region that aligns with your data residency requirements and other Palo Alto Networks applications, such as Prisma Access, to minimize latency and ensure compliance.