>
    Strata Copilot
    Begin Using Azure Active Directory Groups
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Data Security Administration
    4. Group-Based Visibility
    5. Begin Using Azure Active Directory Groups
    Download PDF
    SaaS Security

    Begin Using Azure Active Directory Groups

    Table of Contents

    Begin Using Azure Active Directory Groups

    Configure an app registration on Azure Active Directory to enable SaaS Security to retrieve users and groups.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Data Security license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    • New customers (onboarded your apps to Data Security on or after November 1, 2024) and FedRAMP customers: Integrate CIE with Data Security.
    • Legacy customers (onboarded your apps to Data Security before November 1, 2024): If you have been using Microsoft Azure AD, continue with the following topic.
    SaaS Security integrates with an Azure Active Directory (AD) to manage a cloud-based identity and access management service. After Azure Active Directory connects to SaaS Security, the service retrieves your user group and membership information.
    With an Active Directory integration, you can use the group-based visibility capabilities that Data Security offers, including:
    To begin scanning your Azure Active Directory users and groups, you need to:
    • Configure an application registration on Azure Active Directory, using either Microsoft’s new and improved method or the legacy method.
    • Connect Azure Active Directory to SaaS Security.
    • Select the Active Directory groups you want to scan.

    Configure an Application Registration on Azure Active Directory

    As you configure an application registration on Azure Active Directory to assign SaaS Security the necessary permissions to establish a connection with Azure Active Directory and retrieve users and groups, record the Directory ID, Application ID, and Application Key because you will need this information later to connect Azure Active Directory to SaaS Security.
    1. Log in to Microsoft Azure and select Azure Active DirectoryMicrosoft Entra IDApp registrationsNew registration.
    2. Enter a Name, select Accounts in this organizational directory only, and click Register.
    3. Copy the Application (client) ID.
    4. Copy the Directory (tenant) ID.
    5. Click API permissionsAdd a permissionMicrosoft GraphApplication permissions.
    6. Select DirectoryDirectory.Read.All.
      Enable permissions to read directory data to allow SaaS Security to connect to the Azure Active Directory application to read users, groups, and apps in the organization’s directory.
    7. Select GroupGroup.Read.All and Add permissions.
      Enable permissions to read all groups to allow Azure Active Directory to list groups, read their properties and membership, and enable SaaS Security to populate a list of groups to scan.
    8. Click Grant consent and click Yes to confirm permission change.
    9. Select Certificates & secretsNew client secret, enter a Description, select an expiration, and click Add.
    10. Copy the unique Client secret (aka Application Key).

    Connect Azure Active Directory to SaaS Security

    You need to connect Azure Active Directory to SaaS Security so that SaaS Security can retrieve all your Active Directory users and groups.
    After you connect Azure Active Directory to SaaS Security, you might need to wait up to 24 hours for all your Active Directory groups to display in the SaaS Security web interface.
    1. Verify that you have an Azure Active Directory account with administrator privileges.
    2. Log in to Strata Cloud Manager.
    3. Select ConfigurationSaaS SecuritySettingsDirectory & External ServicesConnect New .
    4. Select Azure Active Directory, then enter Active Directory information.
      • Directory ID
      • Application ID
      • Authentication Key
    5. Save to authenticate Azure Active Directory.
      You can give your Azure Active Directory instance a descriptive name other than the default name, which is Azure Active Directory n, to differentiate it from other instances.

    Select Active Directory Groups

    Select the groups you need for group-based visibility: Policy enforcement, incident management, and selective scanning.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationSaaS SecuritySettingsDirectory & External Services.
    3. Select the Azure Active Directory instance.
    4. Enter the first few letters or name of the group.
      • >>—Adds all groups.
      • >—Adds a single group.
      You can add up to 100 groups in total, including nested groups.
    5. Save your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.