Cloud Identity Engine (Directory
Sync) gives Prisma Access read-only access to your Active Directory
information, so that you can easily set up and manage security and
decryption policies for users and groups.
Engine works with both on-premises Active Directory and Azure Active
To set up Cloud Identity Engine with Prisma Access,
start by going to the hub to activate Cloud Identity Engine and
to add it to Prisma Access. Then go to Prisma Access to validate
that Prisma Access is able to access directory data.
Activate Cloud Identity Engine
Cloud Identity Engine can share Active Directory information
with any supported app on the hub. It’s free and does not require
an auth code to get started. Cloud Identity Engine setup includes
activating the Cloud Identity Engine app on the hub, configuring
the Cloud Identity Engine agent to gather Active Directory mappings,
and configuring mutual authentication between Cloud Identity and and
Make sure to deploy the Cloud Identity Engine instance
in the same region that you deployed Prisma Access and Cortex Data
Enable Cloud Identity Engine for Prisma Access.
You can associate Prisma Access with Cloud Identity Engine
when you’re first activating Prisma Access or anytime after:
While you’re activating Prisma Access:
When you first activate Cloud Managed Prisma
Access, you can choose a Cloud Identity Engine instance for
Prisma Access to use. Make sure to select an instance that is deployed
in the same region as Prisma Access.
After you’ve activated Prisma Access:
To enable Cloud Identity
Engine for an existing Prisma Access instance, log in to the hub. From the hub settings dropdown (see the
gear on the top menu bar), select
Find the Prisma Access instance you want to update, and select the
Cloud Identity Engine instance you want Prisma Access to use.
Confirm that Prisma Access is connected to Cloud Identity Engine,
and that Cloud Identity Engine is sharing directory information
with Prisma Access.
Check that you can see your directories in Prisma Access.
Verify that you can add users and groups to a policy
In a security or decryption policy rule, check that the
displays your Active Directory user and group entries. Now you can
start adding these users and groups to your security and decryption