Cloud Identity Engine Getting Started
    : Synchronize Cloud Identity Engine Tenants
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Manage the Cloud Identity Engine App
    5. Cloud Identity Engine Tenants
    6. Synchronize Cloud Identity Engine Tenants
    Download PDF

    Cloud Identity Engine Getting Started

    Synchronize Cloud Identity Engine Tenants

    Table of Contents

    Synchronize Cloud Identity Engine Tenants

    Learn how to synchronize changes to your directory attributes in your Cloud Identity Engine tenants.
    There are two ways that the Cloud Identity Engine synchronizes changes to your directory attributes:
    • A full sync, which is a complete sync of the entire directory.
    • A sync of just the changes to the directory since the last successful sync, which takes much less time to complete (Not supported with Google Directory).
    By default, the Cloud Identity Engine app synchronizes the directory attributes:
    • Every five minutes with the changes since the last successful sync (Not supported with Google Directory) unless a sync is already in progress.
    • Weekly with a complete sync of all configured directories (Not supported with Google Directory).
    • Based on the schedule you select (Google Directory only).
    The time to synchronize data depends significantly on the number of changes, the size of the directory, and the amount of group nesting.
    To refresh your Cloud Identity Engine tenant with any recent changes in your directory before that time, you can select how you want to synchronize changes to the attributes for your configured domains.

    Synchronize All Attributes

    Synchronizing all attributes (a full sync) is recommended if you are experiencing issues or lose connectivity.
    For on-premises directories, all agents and domains for the tenant must be active for the sync to complete successfully.
    1. Log in to the hub and select the Cloud Identity Engine app.
    2. Select the directory you want to synchronize, then select Directories.
    3. Select ActionsFull Sync to initialize the synchronization for the directory type you want to synchronize instantly.
      For an on-premises Active Directory, click Full Sync.
      The synchronization starts immediately and a confirmation message (Sync started) displays. The sync may take some time to complete, so make sure you click Full Sync only once. If a synchronization is currently in progress when you try to synchronize, a warning message (Sync in progress) displays at the top of the screen.
      After completing a full sync, you must wait at least 90 seconds before initiating another full sync.
    4. To confirm the synchronization is complete, verify the Sync Status is Success.

    Synchronize Directory Changes

    You can sync just the changes to your directory, which is much faster than a full sync of your directory. By default, the Cloud Identity Engine syncs changes for most attributes every five minutes unless a sync is already in progress.
    The Sync Status on the Directories page may incorrectly indicate Success while an incremental sync is still in progress. The synchronization automatically captures any changes made in the directory but it is not possible to initiate another sync while a sync is currently in progress.
    For Azure Active Directory (Azure AD) and Okta, the Cloud Identity Engine syncs attributes for users and groups every five minutes; for Azure AD, a sync for devices occurs daily if the previous device sync required less than 24 hours to complete. If completing the device sync required more than 24 hours, the next sync occurs at the interval of the duration for the previous device sync (for example, if the previous device sync required 26 hours, then the next sync would occur 26 hours from the previous successful sync).
    The Sync Changes option is not available for Google Directory.
    1. If you have not already done so, configure a directory.
    2. After making changes to your directory, select ActionsSync Changes to sync the changes for your directory.
      For an on-premises Active Directory, click Sync Changes.
      The sync may take some time to complete, so make sure you click Sync Changes only once. We recommend a full sync of your directory if you lose connectivity or are experiencing issues. To sync the entire directory, Synchronize All Attributes in a full sync. If a full sync is in progress, you cannot sync changes. After a full sync completes in the Cloud Identity Engine app, the firewall must also complete a full sync.

    Set Synchronization Interval

    This sync option is available for Google Directory only.
    1. Log in to the hub and select the Cloud Identity Engine app.
    2. Select the tenant you want to synchronize, then select Directories.
    3. Click Sync Every: for the directory type interval that you want to change and select the interval.
      • 6 Hours
      • 12 Hours
      • 24 Hours (Default)
      After you select an interval, a confirmation message displays at the top of the screen.

    Synchronize CDUG Changes

    This sync option is available for Google Directory only.
    1. Log in to the hub and select the Cloud Identity Engine app.
    2. Select the tenant you want to synchronize, then select Directories.
    3. Sync CDUG Changes to initialize the synchronization of the cloud dynamic user group information.
      The synchronization starts immediately and a confirmation message (Sync started) displays. If a synchronization is currently in progress when you try to synchronize, a warning message (Sync in progress) displays at the top of the screen.
    4. To confirm the synchronization is complete, verify the Sync Status is Success.

    © 2024 Palo Alto Networks, Inc. All rights reserved.