>
    Strata Copilot
    Manage Your Azure Directory
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Identify Users and Devices with Cloud Identity Engine
    4. Manage Your Directories
    5. Manage Your Azure Directory
    Download PDF
    Identity

    Manage Your Azure Directory

    Table of Contents

    Manage Your Azure Directory

    Learn about managing your Azure directory for CIE.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.
    Managing your Microsoft Entra ID (Azure AD) integration is critical for ensuring that the Cloud Identity Engine maintains a valid, secure connection to collect user attributes for consistent policy enforcement. Ongoing management tasks typically involve troubleshooting connection issues or updating configuration settings to leverage new features, such as switching from the CIE Enterprise App to the Client Credential Flow or enabling the collection of user risk information.
    If your directory disconnects or requires configuration updates, you can reconnect or edit the directory directly within the Cloud Identity Engine application. This process allows you to re-authenticate and modify settings without deleting the tenant. However, if you need to permanently stop the Cloud Identity Engine from accessing your data, you must revoke permissions entirely. This is a two-step process: you must first delete the directory from your Cloud Identity Engine tenant and then delete the enterprise application from the Azure Portal to ensure the service can no longer query your directory data.

    Reconnect or Edit Azure Active Directory

    Learn how to reconnect or edit your Azure Active Directory (Azure AD) configuration for the Cloud Identity Engine.
    The auth code flow method has been deprecated and is not available for new configurations, only existing configurations. For new configurations, configure Entra ID using the Cloud Identity Engine app.
    1. Log in to the hub and select the Cloud Identity Engine app.
    2. In the Cloud Identity Engine app, select DirectoriesReconnect.
      If this Azure AD configuration has never successfully connected to the Cloud Identity Engine, select ActionsEdit.
    3. Select the method you want to use to log in to your Azure AD.
      Palo Alto Networks strongly recommends the CIE Enterprise App connection flow type. Using the client credential connection flow type requires you to configure your Azure AD with the necessary permissions, so ensure you’ve completed all of the predeployment steps necessary to configure Azure using the Client Credential Flow before you configure this option.
      • CIE Enterprise App (Recommended) (Default) — This option requires Global Administrator privileges but you only need to enter the directory ID.
      • Client Credential Flow—By granting the required permissions in advance, you do not need to log in to the Azure AD to make changes to that directory in the Cloud Identity Engine.
      • Auth Code Flow(Deprecated; available only for current configurations) —To make changes to your Azure AD in the Cloud Identity Engine, you must log in to the Azure AD.
    4. Select whether you want to Collect user risk information from Azure AD Identity Protection to use in attribute-based Cloud Dynamic User Groups.
      If you select this option, you must grant additional permissions for the Cloud Identity Engine in the Azure AD Portal. For more information, refer to the documentation for Cloud Dynamic User Groups.
    5. Select whether you want to Collect Roles and Administrators (Administrative roles) to retrieve roleAssignments attribute information for users and groups. Allowing the Cloud Identity Engine to include this information for analysis helps to prevent role-based malicious attacks. By default, the Cloud Identity Engine enables this option for tenants that are associated with Cortex XDR.
      If you select this option, you must grant additional permissions for the Cloud Identity Engine in the Azure AD Portal. For more information, refer to step 9.
    6. Select whether you want to Collect enterprise applications data so that it displays when you View Directory Data. If you don't want to collect the application data or you don't use application data in your security policy, deselect the checkbox to decrease the sync time.
    7. Sign in with Azureor Restore the connection using your Azure administrator credentials and grant permissions for the Cloud Identity Engine to access the directory information.
      You must have an administrative account for the directory to grant the following required permissions.
      • Access Azure Service Management
      • View your basic profile
      • Maintain access to data you have given it access to
      • Read directory data
      • View your email address
      If this Azure AD configuration has never successfully connected to the Cloud Identity Engine, select Sign in with Azure.
      1. Enter your email address or phone number then click Next.
      2. Enter your password and Sign in.
      3. Consent on behalf your organization to grant the permissions that the Cloud Identity Engine requires to get the metadata with the list of directories and Accept to confirm.
        The button displays Logged In when the authentication is successful.
    8. Click Test Connection to confirm that the Cloud Identity Engine tenant can successfully communicate with the Azure directory.
      • The Cloud Identity Engine checks for the primary directory, which may not be the same as initial directory.
      • While the test is in progress, the button displays Testing.
      • When the Cloud Identity Engine verifies the connection, the button displays Success and lists the domain name and ID for the directory.
      • If the connection is not successful, the button displays Failed and a red exclamation point. If this occurs, confirm you have entered your Azure credentials correctly.
      • If you have more than one directory in your Azure AD, select the radio button for each directory and Test Connection. Submit each directory individually.
    9. Consent on behalf your organization to grant the permissions the Cloud Identity Engine requires to access the directory data and Accept to confirm.
      • If you want to use user risk information in attribute-based Cloud Dynamic User Groups, you must grant additional permissions. For more information, refer to the documentation on how to Create a Cloud Dynamic User Group.
      • If you select the Collect Roles and Administrators (Administrative roles) option in step 5 and you have already granted the Directory.Read.All scope, no further permissions are required. Otherwise, you must also grant the RoleManagement.Read.Directory scope to collect role and administrator information.
      • If you select the Collect enterprise applications option in step 6, you must grant the Application.Read.All scope.
    10. (Optional) Enter a unique name as the Directory Name (optional) field to use a customized name for the directory in the Cloud Identity Engine app.
      You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app.
      If you are collecting data for the same domain from both an on-premises Active Directory (AD) and an Azure AD, Palo Alto Networks recommends that you create a separate Cloud Identity Engine tenant for each directory type. If you must use the same Cloud Identity Engine tenant and want to collect data from both an on-premises AD and an Azure AD, you must customize the directory name for the Azure AD (for example, by adding .aad to Customize Directory Name) then reconnect or edit your Azure directory. Any applications that you associate with the Cloud Identity Engine use the custom directory name.
      • The custom directory name is the alias for your Azure AD in your Cloud Identity Engine tenant; it does not change the name of your directory. If you do not enter a custom directory name, the Cloud Identity Engine uses the default domain name.
      • The Cloud Identity Engine supports lowercase alphanumeric characters, periods (.), hyphens (-), and underscores (_).
      • If you associate the Cloud Identity Engine with Cortex XDR, the customized directory name must be identical to the Domain you select in Cortex XDR.
      The custom directory name must match the corresponding directory name in any app that you associate with the Cloud Identity Engine. For example, if you are using the Cloud Identity Engine with Cortex XDR, the custom directory name in the Cloud Identity Engine must be the same as the directory name in Cortex XDR.
    11. (Optional) Select whether you want to Filter Azure Active Directory Groups.
      To reduce sync time and minimize the amount of data collected by the Cloud Identity Engine, you can configure the Cloud Identity Engine to sync only specific groups from your directory. To do this, you can Configure SCIM Connector for the Cloud Identity Engine or you can filter the groups. Because SCIM is most suitable for small and frequent data requests, directory update intervals are restricted to once every 40 minutes. If you choose to filter the groups instead, directory updates can be as often as every 5 minutes. Choose the best option for your deployment based on your organizational and regulatory requirements.
      1. Select the group attribute you want to use as a filter.
        • Name—Filter the groups based on the group name.
        • Unique Identifier—Filter the groups based on the unique identifier for the group.
      2. Select how you want to filter the groups.
        • (for Name attribute only)begins with—Filter the groups based on a partial match for the text you enter.
        • is equal to—Filter the groups based on an exact match for text you enter.
      3. Enter the text you want to use to filter the groups.
      4. (Optional) Configure an additional filter by clicking Add OR and repeating the previous three steps for each filter you want to include.
        When you configure additional attributes, the Cloud Identity Engine initially attempts to find a match for the first criteria in the configuration, then continues to attempt to match based on the additional criteria you specify.
    12. (Client credential flow only) Enter the Client ID and Client Secret (or click Restore to restore the current client secret) to Configure Azure Using the Client Credential Flow.
      You cannot change the Directory ID. If you need to change the Directory ID, you must set up a new Azure AD configuration in the Cloud Identity Engine.
    13. When the configuration is complete, Submit the configuration.
      When you submit the configuration, the Cloud Identity Engine connects to your Azure AD and begins synchronizing attributes. The Sync Status column displays In Progress while the Cloud Identity Engine collects the attributes.

    Revoke Cloud Identity Engine Permissions for Azure Active Directory

    Learn how to revoke permissions for the Cloud Identity Engine to access your Azure Active Directory (AD).
    If you want to revoke the permissions for the Cloud Identity Engine to access your Azure Active Directory (AD), delete the directory in your Cloud Identity Engine tenant and delete the application from the Azure Portal.
    To revoke permissions for an Azure AD from the Cloud Identity Engine, you must have at least the following role privileges in Azure AD: Application Administrator and Cloud Application Administrator. For more information about roles in Azure AD, refer to the following link.
    1. Delete the directory from your Cloud Identity Engine tenant.
    2. Log in to the Azure Portal with your administrator credentials.
    3. Select Azure Active Directory.
    4. In the Manage section, select Enterprise applications.
    5. In the Manage section, select All applications then select Palo Alto Networks Cloud Identity Engine.
    6. In the Manage section, select Properties.
    7. Delete the application and click Yes to confirm.
      When you confirm, the Cloud Identity Engine can no longer access this Azure AD.

    © 2026 Palo Alto Networks, Inc. All rights reserved.