>
    Strata Copilot
    Integrate with Azure Active Directory
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Get Started with SaaS Security Inline
    4. Integrate with Azure Active Directory
    Download PDF
    SaaS Security

    Integrate with Azure Active Directory

    Table of Contents

    Integrate with Azure Active Directory

    Configure an app registration on Azure Active Directory to enable SaaS Security to retrieve users and groups
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • SaaS Security Inline license
    • NGFW or Prisma Access license
    Or any of the following licenses that include the SaaS Security Inline license:
    • CASB-X
    • CASB-PA
    If you performed an Azure Active Directory integration for Data Security, SaaS Security Inline uses that same integration framework, and you do not need to repeat this integration.
    SaaS Security integrates with Azure Active Directory (AD) to manage cloud-based identity and access management service. After Azure AD connects to SaaS Security, the service retrieves your groups, which you can specify in your SaaS policy rule recommendations. Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes.
    To integrate Azure AD, you need to:
    • Configure an application registration on Azure AD.
    • Connect Azure AD to SaaS Security.
    • Select the AD groups you want to scan.

    Configure an Application Registration on Azure AD

    As you create an application on Azure AD to assign SaaS Security the necessary permissions to establish a connection with Azure AD and retrieve groups, record the Directory ID, Application ID, and Application Key because you will need this information later to connect Azure AD to SaaS Security.
    1. Log in to Microsoft Azure and select Azure Active DirectoryApp registrationsNew registration.
    2. Enter a Name, select Accounts in this organizational directory only, and click Register.
    3. Copy the Application (client) ID.
    4. Copy the Directory (tenant) ID.
    5. Click API permissionsAdd a permissionMicrosoft GraphApplication permissions
    6. Select DirectoryDirectory.Read.All.
      Enable permissions to read directory data to allow SaaS Security to connect to the Azure AD application to read users, groups, and apps in the organization’s directory.
    7. Select GroupGroup.Read.All and Add permissions.
      Enable permissions to read all groups to allow Azure Active Directory to list groups, read their properties and membership, and enable SaaS Security to populate a list of groups to scan.
    8. Click Grant consent and click Yes to confirm permission change.
    9. Select Certificates & secretsNew client secret, enter a Description, select an expiration, and click Add.
    10. Copy the unique Client secret (Application Key).

    Connect Azure Active Directory to SaaS Security

    You need to connect Azure AD to SaaS Security so that SaaS Security Inline and Data Security can retrieve all your AD groups.
    After you connect Azure AD to SaaS Security Inline, you might need to wait up to 24 hours for all your AD groups to display in the SaaS Security Inline web interface.
    1. Verify that you have an Azure AD account with administrator privileges.
    2. Log in to Strata Cloud Manager.
    3. Select ConfigurationSaaS SecuritySettingsDirectory ServicesConnect New .
    4. Select Azure Active Directory, then enter AD information.
      • Directory ID
      • Application ID
      • Authentication Key
    5. Save to authenticate Azure Active Directory.
      You can give your Azure AD instance a descriptive name other than the default name, which is Azure Active Directory n, to differentiate it from other instances.

    © 2026 Palo Alto Networks, Inc. All rights reserved.