Configure Microsoft Entra ID User Group Mapping in Prisma Access
Focus
Focus
Prisma Access

Configure Microsoft Entra ID User Group Mapping in Prisma Access

Table of Contents

Configure Microsoft Entra ID User Group Mapping in Prisma Access

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
To provide user, group, and computer information for policy or event context, Palo Alto Networks cloud-based applications and services need access to your directory information. Cloud Identity Engine gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Cloud Identity Engine is free and does not require a license to get started. Cloud Identity Engine supports on-premises directory (Active Directory) and a cloud-based directory (Microsoft Entra ID, formerly Azure Active Directory)). The authentication component of the Cloud Identity Engine allows you to configure a profile for a SAML 2.0-based identity provider (IdP) that authenticates users by redirecting their access requests through the IdP before granting access. You can also configure a client certificate for user authentication.
Add an Microsoft Entra ID in the Cloud Identity Engine to allow the Cloud Identity Engine to collect user, group, and device attributes from your Microsoft Entra ID for policy enforcement and user visibility.
Get the user and group information using the Cloud Identity Engine by performing the steps:
  1. Create a Cloud Identity Engine instance for Prisma Access.
  2. Add Azure Active Directory in the Cloud Identity Engine app.
  3. Authorize the user group mapping in your Prisma Access. Alternatively, you can use the System for Cross-domain Identity Management (SCIM) provisioning to customize attributes and map with the security policies in Prisma Access.