1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security Inline
    5. Get Started with SaaS Security Inline
    6. Integrate with Azure Active Directory

    Integrate with Azure Active Directory

    Configure an app registration on Azure Active Directory to enable SaaS Security to retrieve users and groups
    If you performed an Azure Active Directory integration for SaaS Security API, SaaS Security Inline uses that same integration framework, and you do not need to repeat this integration.
    SaaS Security integrates with Azure Active Directory (AD) to manage cloud-based identity and access management service. After Azure AD connects to SaaS Security, the service retrieves your groups, which you can specify in your SaaS policy rule recommendations. Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes.
    To integrate Azure AD, you need to:
    • Configure an application registration on Azure AD.
    • Connect Azure AD to SaaS Security.
    • Select the AD groups you want to scan.

    Configure an Application Registration on Azure AD

    As you create an application on Azure AD to assign SaaS Security the necessary permissions to establish a connection with Azure AD and retrieve groups, record the
    Directory ID
    ,
    Application ID
    , and
    Application Key
     because you will need this information later to connect Azure AD to SaaS Security.
    1. Log in to Microsoft Azure and select
      Azure Active Directory
      App registrations
      New registration
      .
    2. Enter a
      Name
      , select
      Accounts in this organizational directory only
      , and click
      Register
      .
    3. Copy the
      Application (client) ID
      .
    4. Copy the
      Directory (tenant) ID
      .
    5. Click
      API permissions
      Add a permission
      Microsoft Graph
      Application permissions
    6. Select
      Directory
      Directory.Read.All
      .
      Enable permissions to read directory data to allow SaaS Security to connect to the Azure AD application to read users, groups, and apps in the organization’s directory.
    7. Select
      Group
      Group.Read.All
       and
      Add permissions
      .
      Enable permissions to read all groups to allow Azure Active Directory to list groups, read their properties and membership, and enable SaaS Security to populate a list of groups to scan.
    8. Click
      Grant consent
       and click
      Yes
       to confirm permission change.
    9. Select
      Certificates & secrets
      New client secret
      , enter a
      Description
      , select an expiration, and click
      Add
      .
    10. Copy the unique
      Client secret
       (Application Key).

    Connect Azure Active Directory to SaaS Security

    You need to connect Azure AD to SaaS Security so that SaaS Security Inline and SaaS Security API can retrieve all your AD groups.
    After you connect Azure AD to SaaS Security Inline, you might need to wait up to 24 hours for all your AD groups to display in the SaaS Security Inline web interface.
    1. Verify that you have an Azure AD account with administrator privileges.
    2. Log in to SaaS Security.
    3. Select
      Settings
      Directory Services
      Connect New
      .
    4. Select
      Azure Active Directory
      , then enter AD information.
      • Directory ID
      • Application ID
      • Authentication Key
    5. Save
       to authenticate Azure Active Directory.
      You can give your Azure AD instance a descriptive name other than the default name, which is Azure Active Directory n, to differentiate it from other instances.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo