Azure AD User Group Mapping in Prisma Access

This guide is focused on integrating Azure AD with Prisma Access Cloud Management. If you are using Panorama Managed Prisma Access, check here for more information.
To provide user, group, and computer information for policy or event context, Palo Alto Networks cloud-based applications and services need access to your directory information. Cloud Identity Engine gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Cloud Identity Engine is free and does not require a license to get started. Cloud Identity Engine supports on-premises directory (Active Directory) and a cloud-based directory (Azure Active Directory). The authentication component of the Cloud Identity Engine allows you to configure a profile for a SAML 2.0-based identity provider (IdP) that authenticates users by redirecting their access requests through the IdP before granting access. You can also configure a client certificate for user authentication.
Add an Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud Identity Engine to collect user, group, and device attributes from your Azure AD for policy enforcement and user visibility.
Get the user and group information using the Cloud Identity Engine by performing the steps:
  1. Create a Cloud Identity Engine instance for Prisma Access.
  2. Azure AD User Group Mapping in Prisma Access in the Cloud Identity Engine app.
  3. Azure AD User Group Mapping in Prisma Access in your Prisma Access. Alternatively, you can use the System for Cross-domain Identity Management (SCIM) provisioning to customize attributes and map with the security policies in Prisma Access.

Recommended For You