https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-aad/m-p/575079#M58 <P>for group mapping the groups and their members' attributes are stored on the CIE tenant, so for compliance you'll need to make sure the tenant is stood up in the appropriate location (this stored data will not leave that location except for forwarding to your firewalls)</P> <P>&nbsp;</P> <P>CIE with authentication simply acts as a broker and AFAIK does not store anything</P> Wed, 31 Jan 2024 10:37:28 GMT reaper 2024-01-31T10:37:28Z https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-aad/m-p/574983#M57 <P>I am investigating Cloud Identity Engine for integration with Azure AD (Entra ID). I am trying to understand where CIE stores the data that it syncs from AAD (what the actual authentication flow looks like) so we can validate whether user data is going to a 3rd party provider such as Palo Alto.<BR />Also does CIE sync and cache user passwords when they authenticate through it?&nbsp; or is it just passing the request to Azure AD and, if so, how is that pw protected/encrypted/encapsulated?<BR /><BR />thanks</P> Tue, 30 Jan 2024 18:17:40 GMT https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-aad/m-p/574983#M57 zimmie67 2024-01-30T18:17:40Z https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-aad/m-p/575079#M58 <P>for group mapping the groups and their members' attributes are stored on the CIE tenant, so for compliance you'll need to make sure the tenant is stood up in the appropriate location (this stored data will not leave that location except for forwarding to your firewalls)</P> <P>&nbsp;</P> <P>CIE with authentication simply acts as a broker and AFAIK does not store anything</P> Wed, 31 Jan 2024 10:37:28 GMT https://live.paloaltonetworks.com/t5/cloud-identity-engine/cloud-identity-engine-aad/m-p/575079#M58 reaper 2024-01-31T10:37:28Z