To provide user, group, and computer information for policy or event context, Palo Alto Networks cloud-based applications and services need access to your directory information. Cloud Identity Engine gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Cloud Identity Engine is free and does not require a license to get started. Cloud Identity Engine supports on-premises directory (Active Directory) and a cloud-based directory (Azure Active Directory). The authentication component of the Cloud Identity Engine allows you to configure a profile for a SAML 2.0-based identity provider (IdP) that authenticates users by redirecting their access requests through the IdP before granting access. You can also configure a client certificate for user authentication.

Add an Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud Identity Engine to collect user, group, and device attributes from your Azure AD for policy enforcement and user visibility.

Get the user and group information using the Cloud Identity Engine by performing the steps: