Cloud Identity Engine (CIE) now provides customers with the ability to select the groups they would like to synchronize with CIE from Entra ID (formerly Azure AD) by using filters (for example, group name “starts with” or “matches'' with “Name” and “Unique Identifier”). This reduces the total amount of data shared with CIE to only the data necessary for policy enforcement without the inherent tradeoffs of using System for Cross-domain Identity Management (SCIM).
To adhere to Zero Trust principles in your network, you need to create policies based on usernames and groups instead of IP addresses. User-based policies and least privilege access policies provide much greater security by ensuring that regardless of where a user is logged in from the same policies will apply to them and that users have access to the minimum resources required to perform their roles.
To create user-based policies and meet the least privilege access requirements, enforcement points, such as Next Generation Firewalls or Prisma Access, need to collect user information and user groups from a directory source. Using the Directory Synchronization feature (also known as Directory Sync) in the Cloud Identity Engine provides a simplified and unified interface to help retrieve these and achieve the goal of zero trust policy enforcement.
The largest and most popular Cloud-based directory is Microsoft’s Entra ID. Palo Alto Networks provides you with two methods to collect user and user group information from Microsoft’s Entra ID into the Cloud Identity Engine:
Making the right choice for your organization is important to ensure that you adhere to your organizational and legal requirements.
The primary use case for using SCIM for data collection from Entra ID is to provide an administrator with fine-grained controls over what data is sent to the Cloud Identity Engine (CIE). While SCIM has accomplished this goal for many of our customers, it has also introduced its own challenges. Because SCIM is designed to deliver small frequent requests for data, it is a great solution for cloud-based applications that perform a one-time lookup to authorize user access. However, it is not as efficient when attempting to gather large volumes of data that will be used continuously. When gathering the required information for Directory Sync, Microsoft limits the frequency of updates which CIE can make to once every 40 minutes
GraphAPIs provide a more efficient solution for use cases such as the frequent updates requested by Directory Sync. The Cloud Identity Engine synchronizes Entra ID information every five minutes to update information for existing users and groups and to add new information. After the synchronization is complete, group and group membership data is available for use by Prisma Access and for security policy enforcement by Next Generation Firewalls. The group filter enhancement provides you with even more customization and control of the data that your instance of Entra ID provides to CIE.
With this enhancement, you can now filter specific groups collected from Entra ID for synchronization with CIE. The filter for Entra ID provides two different types of data that you can use for filtering data:
Group name filters include two operators supported by Entra ID APIs:
Unique Identifier filters include the one operator which Entra ID APIs support: is equal to
With these two data types, you have the flexibility to select the groups that are synchronized with CIE without compromising on update frequency.
New customers can begin to use this capability immediately. When selecting Directory Sync > Directories > Add New Directory > Set Up > Azure, you can create a filter for your Entra ID directory right away; From the first first synchronization, Directory Sync will only synchronize the data that is included in the filter.
Existing customers can migrate their current configurations to use the group filter as well. When selecting Directory Sync > Directories > Actions > Edit, you can add a filter to your existing directory connection. When Directory Sync completes the next sync of recent changes (“Sync Changes”) , the service removes the existing data and replaces it with the data based on the filter.
Both new and existing customers can add or remove groups from the filter (or remove the filter entirely) using Directory Sync > Directories > Actions > Edit.
Please find more information on the techdocs page here.
