https://live.paloaltonetworks.com/t5/cloud-identity-engine-articles/cloud-identity-engine-introduces-group-filtering-when-collecting/ta-p/590664 <DIV class="lia-message-template-content-zone"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_Cloud-Identity-Engine_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60577iBC6AE96ED8D13D06/image-size/large?v=v2&amp;px=999" role="button" title="Title_Cloud-Identity-Engine_palo-alto-networks.jpg" alt="Title_Cloud-Identity-Engine_palo-alto-networks.jpg" /></span></P> <P>&nbsp;</P> <H4><STRONG>Executive Summary</STRONG></H4> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine" target="_blank" rel="noopener"><SPAN>Cloud Identity Engine (CIE)</SPAN></A><SPAN> now provides customers with the ability to select the groups they would like to synchronize with CIE from Entra ID (formerly Azure AD) by using filters (for example, group name “</SPAN><FONT face="courier new,courier"><SPAN>starts with</SPAN></FONT><SPAN>” or “</SPAN><FONT face="courier new,courier"><SPAN>matches</SPAN></FONT><SPAN>'' with “</SPAN><FONT face="courier new,courier"><SPAN>Name</SPAN></FONT><SPAN>” and “</SPAN><FONT face="courier new,courier"><SPAN>Unique Identifier</SPAN></FONT><SPAN>”). This reduces the total amount of data shared with CIE to only the data necessary for policy enforcement without the inherent tradeoffs of using System for Cross-domain Identity Management (SCIM).</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>How Directories are Used to Enforce Zero Trust Policies</STRONG></H4> <P>&nbsp;</P> <P><SPAN>To adhere to Zero Trust principles in your network, you need to create policies based on usernames and groups instead of IP addresses. User-based policies and least privilege access policies provide much greater security by ensuring that regardless of where a user is logged in from the same policies will apply to them and that users have access to the minimum resources required to perform their roles.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>To create user-based policies and meet the least privilege access requirements, enforcement points, such as Next Generation Firewalls or Prisma Access, need to collect user information and user groups from a directory source. Using the Directory Synchronization feature (also known as Directory Sync) in the Cloud Identity Engine provides a simplified and unified interface to help retrieve these and achieve the goal of zero trust policy enforcement.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The largest and most popular Cloud-based directory is Microsoft’s Entra ID. Palo Alto Networks provides you with two methods to collect user and user group information from Microsoft’s Entra ID into the Cloud Identity Engine:</SPAN></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Microsoft’s GraphAPIs</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>SCIM</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>Making the right choice for your organization is important to ensure that you adhere to your organizational and legal requirements.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Introducing Group Filtering for Entra ID</STRONG></H4> <P>&nbsp;</P> <P><SPAN>The primary use case for using SCIM for data collection from Entra ID is to provide an administrator with fine-grained controls over what data is sent to the Cloud Identity Engine (CIE). While SCIM has accomplished this goal for many of our customers, it has also introduced its own challenges. Because </SPAN><SPAN>SCIM is designed to deliver small </SPAN><A href="https://docs.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad" target="_blank" rel="noopener"><SPAN>frequent requests for data</SPAN></A><SPAN>, it is a great solution for cloud-based applications that perform a one-time lookup to authorize user access. However, it is not as efficient when attempting to gather large volumes of data that will be used continuously. When gathering the required information for Directory Sync, </SPAN><SPAN>Microsoft limits the frequency of updates which CIE can make to once every 40 minutes</SPAN></P> <P>&nbsp;</P> <P><SPAN>GraphAPIs provide a more efficient solution for use cases such as the frequent updates requested by Directory Sync. The Cloud Identity Engine synchronizes Entra ID information every five minutes to update information for existing users and groups and to add new information. After the synchronization is complete, group and group membership data is available for use by Prisma Access and for security policy enforcement by Next Generation Firewalls. The group filter enhancement provides you with even more customization and control of the data that your instance of Entra ID provides to CIE.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 1_Cloud-Identity-Engine_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60573i5E43D8EBCDB2AF1A/image-size/large?v=v2&amp;px=999" role="button" title="Fig 1_Cloud-Identity-Engine_palo-alto-networks.png" alt="Fig 1_Cloud-Identity-Engine_palo-alto-networks.png" /></span></P> <P>&nbsp;</P> <P><SPAN>With this enhancement, you can now filter specific groups collected from Entra ID for synchronization with CIE. The filter for Entra ID provides two different types of data that you can use for filtering data:&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Group Name</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Unique Identifier</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>Group name filters include two operators supported by Entra ID APIs:</SPAN></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><FONT face="courier new,courier"><I><SPAN>begins with</SPAN></I><SPAN>&nbsp;</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="courier new,courier"><I><SPAN>is equal to</SPAN></I></FONT></LI> </UL> <P>&nbsp;</P> <P><SPAN>Unique Identifier filters include the one operator which Entra ID APIs support: </SPAN><FONT face="courier new,courier"><I><SPAN>is equal to</SPAN></I></FONT></P> <P>&nbsp;</P> <P><SPAN>With these two data types, you have the flexibility to select the groups that are synchronized with CIE without compromising on update frequency.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Start Using the Feature Today!</STRONG></H4> <P>&nbsp;</P> <P><SPAN>New customers can begin to use this capability immediately. When selecting </SPAN><SPAN><FONT face="courier new,courier">Directory Sync &gt; Directories &gt; Add New Directory &gt; Set Up &gt; Azure</FONT>,</SPAN><SPAN> you can create a filter for your Entra ID directory right away; From the first first synchronization, Directory Sync will only synchronize the data that is included in the filter.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 2_Cloud-Identity-Engine_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60574i37451618BDB58568/image-size/large?v=v2&amp;px=999" role="button" title="Fig 2_Cloud-Identity-Engine_palo-alto-networks.png" alt="Fig 2_Cloud-Identity-Engine_palo-alto-networks.png" /></span></P> <P>&nbsp;</P> <P><SPAN>Existing customers can migrate their current configurations to use the group filter as well. When selecting </SPAN><SPAN><FONT face="courier new,courier">Directory Sync &gt; Directories &gt; Actions &gt; Edit</FONT>,</SPAN><SPAN> you can add a filter to your existing directory connection. When Directory Sync completes the next sync of recent changes (“Sync Changes”) , the service removes the existing data and replaces it with the data based on the filter.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 3_Cloud-Identity-Engine_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60575iCD7A43C9DB8D0781/image-size/large?v=v2&amp;px=999" role="button" title="Fig 3_Cloud-Identity-Engine_palo-alto-networks.png" alt="Fig 3_Cloud-Identity-Engine_palo-alto-networks.png" /></span></P> <P>&nbsp;</P> <P><SPAN>Both new and existing customers can add or remove groups from the filter (or remove the filter entirely) using </SPAN><FONT face="courier new,courier"><SPAN>Directory Sync &gt; Directories &gt; Actions &gt; Edit</SPAN></FONT><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please find more information on the </SPAN><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-directory-type/configure-a-cloud-based-directory/set-up-azure" target="_blank" rel="noopener"><SPAN>techdocs page here</SPAN></A><SPAN>.</SPAN></P> <P>&nbsp;</P> </DIV> Sat, 04 Jan 2025 01:19:14 GMT jtmclaughlin 2025-01-04T01:19:14Z https://live.paloaltonetworks.com/t5/cloud-identity-engine-articles/cloud-identity-engine-introduces-group-filtering-when-collecting/ta-p/590664 <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine"><SPAN>Cloud Identity Engine (CIE)</SPAN></A><SPAN> now provides customers with the ability to select the groups they would like to synchronize with CIE from Entra ID (formerly Entra ID) by using filters.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_Cloud-Identity-Engine_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60576i311184DD8E34B73D/image-size/large?v=v2&amp;px=999" role="button" title="Title_Cloud-Identity-Engine_palo-alto-networks.jpg" alt="Title_Cloud-Identity-Engine_palo-alto-networks.jpg" /></span></SPAN></P> Sat, 04 Jan 2025 01:19:14 GMT https://live.paloaltonetworks.com/t5/cloud-identity-engine-articles/cloud-identity-engine-introduces-group-filtering-when-collecting/ta-p/590664 jtmclaughlin 2025-01-04T01:19:14Z