This section describes integration procedures you perform to integrate Prisma Access with the Cloud identity Engine and Azure Active Directory (AD).

The Cloud Identity Engine provides both user identification and user authentication for mobile user deployments. Using the Cloud Identity Engine for user authentication and username-to-user group mapping allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions. By continually syncing the information from your directories, the Cloud Identity Engine ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the SAML identity provider (IdP) is temporarily unavailable.

The Cloud Identity Engine has two components to provide authentication and enforcement of user- and group-based policy: