>
    Strata Copilot
    Add Tenants to Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Multi-Tenancy
    5. Add Tenants to Prisma Access
    Download PDF
    Prisma Access

    Add Tenants to Prisma Access

    Table of Contents

    Add Tenants to Prisma Access

    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • For information about managing multiple tenants in Prisma Access (Managed by Strata Cloud Manager), see Prisma SASE.
    After you migrate the existing information as a first tenant, you can create and configure additional tenants. For each tenant you create after the first, Prisma Access creates a separate access domain with its own set of template stacks and templates and its own domain groups.
    Use this workflow to add more tenants to Prisma Access.
    If you are creating an all-new multitenant deployment, use this workflow to add the first tenant, as well as additional tenants. See Create an All-New Multitenant Deployment for more information.
    1. Log in to Panorama as a superuser.
    2. Add and configure the tenant.
      1. Select PanoramaCloud ServicesConfiguration, then Add a new tenant.
        Be sure that you select Remote Networks/Mobile Users; to create and configure a Clean Pipe deployment, see Prisma Access for Clean Pipe.
      2. Specify a descriptive Name for the tenant.
      3. Add a new Access Domain, give it a descriptive Name, and click OK to return to the Tenants window.
        After you click OK, Prisma Access automatically creates templates, template stacks, and device groups and associates them to the access domain you create.
    3. Specify the amount of Bandwidth (Mbps) to allocate for the Remote Networks and the number of Users to allocate for the Mobile Users.
    4. (Deployments with Autonomous DEM Only) If you have purchased an Autonomous DEM (ADEM) license, select the number of units to allocate for ADEM.
      Use the following guidelines when allocating ADEM units for a tenant:
      • The number of ADEM units you can allocate for mobile users and remote networks can be only equal to or less than base license.
      • The minimum number of units you can allocate is 200.
      • After you allocate the ADEM units for a tenant, you can edit or remove those units.
      • If you did not purchase an ADEM license for your deployment type (Mobile Users or Remote Networks), that choice is grayed out.
    5. Click OK to create the first tenant.
    6. Make sure that Prisma Access applied the template stack, template, and device group service settings to the service connection settings of the tenant you just created.
      1. Select the tenant you created from the Tenant drop-down.
      2. Select PanoramaCloud ServicesConfigurationService Setup.
      3. Click the gear icon to the right of the Settings area to edit the settings.
      4. Make sure that Prisma Access has associated the template stack (sc-stk-tenant), template (sc-tpl-tenant), and device group (sc-dg-tenant) to your service connection settings.
      5. Make sure that the Parent Device Group is set to Shared and click OK.
    7. Make sure that Prisma Access applied the template stack, template, and device group to the remote network settings.
      1. Select PanoramaCloud ServicesConfigurationRemote Networks and click the gear icon to the right of the Settings area to edit the settings.
      2. Make sure that the Prisma Access has associated the template stack (rn-stk-tenant), template (rn-tpl-tenant), and device group (rn-dg-tenant) to your remote network settings.
      3. Make sure that the Parent Device Group is set to Shared and click OK.
    8. Make sure that Prisma Access applied the template stack, template, and device group to the mobile user settings.
      1. Select PanoramaCloud ServicesConfigurationMobile Users and click the gear icon to the right of the Settings area to edit the settings.
      2. Make sure that the Prisma Access has associated the template stack (mu-stk-tenant), template (mu-tpl-tenant), and device group (mu-dg-tenant) to your remote network settings.
      3. Make sure that the Parent Device Group is set to Shared and click OK.
    9. Commit your changes locally to Panorama (CommitCommit to Panorama.
    10. (Mobile User deployments only)—Add an infrastructure subnet, then commit and push your changes to make them active in Prisma Access.
      These steps are required for the mobile user changes to take effect.
      1. Select PanoramaCloud ServicesConfigurationService Setup, click the gear icon to edit the Settings, and configure an infrastructure subnet.
      2. Select CommitCommit and Push, Edit Selections in the Push Scope, and make sure that Mobile Users is selected.
      3. Click OK to save your changes to the Push Scope.
      4. Commit and Push your changes.
    11. Select the new tenant you created by selecting PanoramaCloud ServicesConfigurationtenant-name and continue the configuration of your tenant.
      1. Configure the Service Infrastructure.
      2. Create a Service Connection to Allow Access to Private Apps..
      3. Onboard and Configure Remote Networks if you are licensed for remote networks.
      4. Set Up Global Protect for if you are licensed for remote users.

    © 2026 Palo Alto Networks, Inc. All rights reserved.