Executive Summary   Palo Alto Networks’ Cloud Identity Engine now supports Entra B2B external user authentication, unlocking secure access for partners, vendors, and external collaborators. This enhancement allows organizations to apply Zero Trust policies across both internal and external users, ensuring seamless, policy-driven access without compromising security.   Enabling Collaboration Without Compromising Security   Today’s interconnected business environments demand secure access for external parties, whether they’re partners, suppliers, or clients. Entra B2B, a solution in Microsoft Entra ID, simplifies this by allowing users from outside organizations to access resources using their own credentials. Cloud Identity Engine’s support for Entra B2B now extends this secure, flexible access, providing a seamless experience for external users while preserving strong access controls.   With the latest enhancement, Palo Alto Networks Cloud Identity Engine now enables secure Entra B2B external user authentication. This addition lets organizations integrate external Entra B2B identities within a unified Zero Trust security model, streamlining secure collaboration with partners and vendors while ensuring fine-grained access control.   Key Capabilities and Benefits of Entra B2B Support in Cloud Identity Engine   With this enhancement, Cloud Identity Engine delivers:   Streamlined Collaboration: Businesses now benefit from a simplified setup process for external access. Authorized users from other organizations can authenticate seamlessly, enabling faster, more secure collaboration without added friction. Centralized Access Control: Cloud Identity Engine’s support for Entra B2B allows administrators to manage internal and external identities from a single platform, making it easy to apply and monitor security policies across all users. Directory Synchronization Service Support: With Directory Synchronization, Cloud Identity Engine can directly sync with Entra ID, ensuring that guest user identities and group memberships stay up to date. This capability makes it simpler to manage external users, providing real-time visibility and quick synchronization. Cloud Dynamic User Group Support: Automatically categorizing users based on attributes like role, department, and if they are a guest using Cloud Dynamic User Groups. This is especially useful for external Entra B2B users, as administrators can define policies for dynamic groups that adapt as user roles and attributes change, enforcing access controls based on real-time user context. Cloud Authentication Service Support: Cloud Identity Engine’s support for Cloud Authentication Service offers additional flexibility for external users. Organizations can enforce specific authentication methods tailored to different groups of users—such as requiring MFA for high-risk or privileged access—creating more granular and adaptive access controls.   These capabilities collectively enable Cloud Identity Engine to streamline external user access, enhance control through centralized policies, and maintain security across diverse user environments, including those involving dynamic roles or heightened security needs. You can read more about how Entra B2B works here.   Start Using the Feature Today!   New and existing customers can begin leveraging Entra B2B support in Cloud Identity Engine immediately with straightforward setup steps.   You can follow this video or the steps provided below:   Follow the steps provided by Microsoft to invite guest users to your Entra ID tenant here Once a guest user is added to your Entra ID, connect it to Cloud Identity Engine using one of the methods in our documentation: CIE Enterprise App, SCIM, or Client Credential Flow   Guest users will appear in the Cloud Identity Engine with the naming format: userName_externalDomain.com#EXT#@internalDomain.com   Guest users’ attributes and group membership will also be shared with Cloud Identity Engine. Guest users and their attributes can be used in Cloud Dynamic User Groups for:   1. Risky User Groups Integrating Entra B2B guest users into Risky User Groups enhances security by enabling dynamic responses to potentially malicious behavior or compromised accounts. For example, external users flagged for suspicious activity—such as multiple failed login attempts or accessing resources outside their usual context—can be automatically grouped and subjected to stricter policies, such as requiring additional MFA or blocking access entirely. By leveraging Entra ID’s security insights alongside Cloud Identity Engine’s risky user groups, organizations can preemptively mitigate risks posed by external collaborators while maintaining productivity.   2. Attribute Based Groups Entra B2B users can be seamlessly integrated into Attribute-Based Groups, enabling highly granular access controls based on user attributes such as guest, department, and role. This ensures that external collaborators receive access only to the resources relevant to their specific needs. For instance, a guest supplier tagged with a “Finance” role in Entra ID can be automatically granted access only to financial systems and data, avoiding over-permissioning. This alignment of attributes across platforms helps enforce least-privilege principles, minimizing the attack surface while maintaining operational efficiency.   3. On Demand Assignment Groups With Entra B2B support in On-Demand Assignment Groups, organizations can provide time-bound, purpose-specific access to external users, ensuring they only interact with resources for as long as necessary. For example, a guest developer collaborating on a project can be granted temporary access to a test environment, with access revoked automatically after the defined period. This approach minimizes the risk of lingering permissions and unauthorized access while supporting dynamic collaboration needs.  

The Cloud Identity Engine (CIE) is expanding its capabilities by introducing a new method for connecting to authentication services via OpenID Connect (OIDC). This enhancement provides an additional option alongside our existing support for CA Chains and SAML.  

After synchronizing your directory with Cloud Identity Engine (CIE), you can create user groups in the CIE console. Use attribute-value pairs with operators like "contains," "starts with," and exact matches, and combine them with and/or operators.  

After synchronizing your directory with Cloud Identity Engine (CIE) you are now able to create groups of users within the CIE console. Users can be added to a group indefinitely or for specific time periods. These groups are never sent back to the directory and are exclusively for use in the Palo Alto Networks platform.  

Cloud Identity Engine (CIE) now provides customers with the ability to select the groups they would like to synchronize with CIE from Entra ID (formerly Entra ID) by using filters.  

The Cloud Identity Engine consists of two components: Directory Sync, which provides user information, and the Cloud Authentication Service, which authenticates users. For a more comprehensive identity solution, Palo Alto Networks recommends using both components, but you can configure the components independently.    The Cloud Authentication Service uses a cloud-based service to provide user authentication using SAML 2.0-based Identity Providers (IdPs). When the user attempts to authenticate, the authentication request is redirected to the Cloud Authentication Service, which redirects the request to the IdP. After the IdP authenticates the user, the firewall maps the user and applies the security policy. By using a cloud-based solution, you can reallocate the resources required for authentication from the firewall or Panorama to the cloud. The Cloud Authentication Service also allows you to configure the authentication source once instead of for each authentication method you use (for example, Authentication Portal or administrator authentication).    Learn more here.