topic Re: Prisma Access CIE and User-ID mapping not working for groups in Prisma Access Discussions

Prisma Access CIE and User-ID mapping not working for groups

IvanBermejo — Fri, 09 Jan 2026 15:54:00 GMT

Hi, all,

thanks in advance for any help about an issue we are facing with User-ID agent on on-prem and EntraID with CIE integration.Let me explain our topology a bit deeper:

On the one hand, we have a Remote Network with some Windows servers without GP or Prisma Access agent. We use User-ID agent for username-to-IP mapping. This is sent to local NGFW, and from there to Prisma Access. It runs fine, coz on UserID logs in Prisma I can see the users there.

On the other hand, AD is federated with EntraID and CIE collects certain test users and groups. I can see that a particular test user is on EntraID and also in CIE inside a certain group. On Prisma Access CIE configuration I can see that a number of groups and users are there.

So, if we create a rule on Prisma Access (with Strata Cloud Manager), we can select both the groups and the users as source. If we choose user (brought by CIE), the username-to-IP mapping works, and the rule matches. But if we use the group in the rule, the username-to-IP mapping seems to be avoided and the rule doesn't match.

Did anyone faced this before? I think it should work. Group rules are not only for agent based workstations, right?

Many thanks!

Re: Prisma Access CIE and User-ID mapping not working for groups

reaper — Mon, 12 Jan 2026 10:08:52 GMT

the first thing you should check in this case is the user attribute mapping:

in the prisma access (or global) configuration scope, go to Identity Services > Cloud Identity Engine

verify what the primary username is set to and compare that to the usernames you are seeing from the user-id agent

if the userid agent sends you domain\user, set the CIE primary to SAM Account Name, if the format is user@domain, set the primary to User Principal Name

this can happen if you instruct CIE to fetch one type of username format while receiving a different format from the uidagent i.e. your groups come loaded with username references that don't match the actual usernames

Re: Prisma Access CIE and User-ID mapping not working for groups

IvanBermejo — Wed, 14 Jan 2026 16:01:36 GMT

Thanks for your answer, Reaper. I checked the configuration and seems to be right, since we are receiving our users from User-ID in a domain\username format.

In fact, as I said, if we use the username in the rule, it matches. The group in CIE is synchronizing (I filtered to one name, and I can see the group and the user in CIE), and the numbers in Prisma Access are the same. The group is selectable in the rule, but the user in the group doesn't match the rule.

Is there any way to check the group-to-user mapping in Prisma Access? Any other ideas?