https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424814#M94295 <P>Hi Nikolay - just to clarify, I'd like to import Azure AD groups into Palo Alto so that I can create rules based on them. E.g. create a policy rule that allows the Marketing dept to connect to an external application. Do the instuctions you have given me go through the steps to enable this?</P><P>&nbsp;</P><P>Thanks.</P> Thu, 05 Aug 2021 14:46:32 GMT cra1901 2021-08-05T14:46:32Z https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424684#M94274 <P>I have a requirement to pull in our users from Azure AD (or AADDS depending on the solution) into Prisma Cloud in order to create policy rules based on the source user/group but I'm unsure as to which method I would need to set this up? (Device\LDAP, Panorama\LDAP or Cloud Identity Engine - perhaps there's more than one way?!)</P><P>&nbsp;</P><P>We do not have a Windows domain and therefore have no on-prem DC to connect to. Has anyone else got this set up that could point me in the right direction?</P><P>&nbsp;</P><P>TIA</P> Thu, 05 Aug 2021 10:36:17 GMT https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424684#M94274 cra1901 2021-08-05T10:36:17Z https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424708#M94276 <P>There is a guide for this:</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/resources/guides/prisma-access-for-users-deployment-guide" target="_blank">https://www.paloaltonetworks.com/resources/guides/prisma-access-for-users-deployment-guide</A></P><P>&nbsp;</P><P>&nbsp;</P><P>I think also SAML is a nice option where the Prisma Access will be SP and Azure AD will be the IdP.</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://www.consigas.com/best-practice/remote-access-authentication/" target="_blank">https://www.consigas.com/best-practice/remote-access-authentication/</A></P> Thu, 05 Aug 2021 10:51:37 GMT https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424708#M94276 NikolayDimitrov 2021-08-05T10:51:37Z https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424721#M94278 <P>Thank you for your help</P> Thu, 05 Aug 2021 11:15:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424721#M94278 cra1901 2021-08-05T11:15:55Z https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424728#M94279 <P>This is not for Azure AD but it shows how to extract the SAML atributes for user and group membership:</P><P>&nbsp;</P><P><A href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html" target="_blank">https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html</A></P> Thu, 05 Aug 2021 11:26:57 GMT https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424728#M94279 NikolayDimitrov 2021-08-05T11:26:57Z https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424814#M94295 <P>Hi Nikolay - just to clarify, I'd like to import Azure AD groups into Palo Alto so that I can create rules based on them. E.g. create a policy rule that allows the Marketing dept to connect to an external application. Do the instuctions you have given me go through the steps to enable this?</P><P>&nbsp;</P><P>Thanks.</P> Thu, 05 Aug 2021 14:46:32 GMT https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424814#M94295 cra1901 2021-08-05T14:46:32Z https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424872#M94299 <P>From the Palo Alto side of things yes but you still need to configure the correct attributes for user/group on the Azure AD (Azure AD should have good guides how it can be&nbsp; used as SAML IdP). After the SAML has imported the users and groups in the Palo Alto/Prisma Access look at :</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>User redistribution inside prisma access should happen automatically but if you also have on premise devices look at:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/redistribute-userid-information-for-users-and-networks" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/redistribute-userid-information-for-users-and-networks</A></P> Thu, 05 Aug 2021 16:48:18 GMT https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424872#M94299 NikolayDimitrov 2021-08-05T16:48:18Z https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424876#M94301 <P>Thanks again for your help!</P> Thu, 05 Aug 2021 16:58:46 GMT https://live.paloaltonetworks.com/t5/general-topics/pulling-in-users-directly-from-adds/m-p/424876#M94301 cra1901 2021-08-05T16:58:46Z