https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-azure-ad-as-a-service/m-p/512897#M25 <P>I am confused about Cloud Identity,, on how and what to use for Azure AD as a service to map IP's to username when users login to Azure AD from their surface device.&nbsp;&nbsp;</P> Wed, 24 Aug 2022 19:50:34 GMT markk96 2022-08-24T19:50:34Z https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-azure-ad-as-a-service/m-p/512897#M25 <P>I am confused about Cloud Identity,, on how and what to use for Azure AD as a service to map IP's to username when users login to Azure AD from their surface device.&nbsp;&nbsp;</P> Wed, 24 Aug 2022 19:50:34 GMT https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-azure-ad-as-a-service/m-p/512897#M25 markk96 2022-08-24T19:50:34Z https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-azure-ad-as-a-service/m-p/520761#M33 <P>Basically you are using SAML IdP that is the Azure AD and the cloud identity engine is the SAML SP and it gets the Azure data like user and ad group , email address etc. from the Azure AD after the user authenticates on it like SAML assertions that are insterted in the User browser request after the Azure AD authenticates the user and returns them to Prisma Acccess <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-an-identity-provider-in-the-cloud-identity-engine/configure-azure-as-an-idp-in-the-cloud-identity-engine" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-an-identity-provider-in-the-cloud-identity-engine/configure-azure-as-an-idp-in-the-cloud-identity-engine</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>After you have registered the Application that will be used for SAML in the Azure AD portal you can even select what data will be returned to Prisma Access:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nikoolayy1_0-1667987683652.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45226iDCFCB775E82118CF/image-size/medium?v=v2&amp;px=400" role="button" title="nikoolayy1_0-1667987683652.png" alt="nikoolayy1_0-1667987683652.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Also you can add as a bonus SCIM for extra sync between Azure AD and CIE as SAML is too static and if you block a user on Azure AD it will take time before he is blocked on the Prisma Access but SCIM solves this.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-directory-type/configure-a-cloud-based-directory/configure-scim-connector-for-the-cloud-identity-engine" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-directory-type/configure-a-cloud-based-directory/configure-scim-connector-for-the-cloud-identity-engine</A></P> <P>&nbsp;</P> Wed, 09 Nov 2022 09:55:13 GMT https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-azure-ad-as-a-service/m-p/520761#M33 nikoolayy1 2022-11-09T09:55:13Z