Cloud Identity Engine Directory Sync

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cloud Identity Engine Directory Sync

L1 Bithead

I have Cloud Identity Engine synced to Azure AD and see both groups and users in the hub. I configured a firewall to use CIE, but it doesn't appear to be working. I can see the groups and select them in policies, but no users from those groups are seen on the firewall. "show user cloud-identity-engine client stat" shows groups, but they show as unmapped (not sure if it should show mapped). "show user cloud-identity-engine status all" shows the name of the directory APP, but all stats are 0 or say never. Same with "show user cloud-identity-engine statistics all". Any help would be appreciated.


L1 Bithead




What did you map here? I am having issues like you


I'm not doing authentication with Cloud Identity Engine. I'm just trying to get the directory sync part of it working.

L1 Bithead

I was able to get Cloud Identity Engine working on the firewall. I changed the service interface for "Palo Alto Network Services" to use the outside interface instead of the default management interface. This didn't work at first until I removed the Cloud Identity Engine config on the firewall and re-added it.

With that being said, my new issue is that the CIE group doesn't seem to work for GlobalProtect portal config for agent match criteria. I am able to configure it, but it doesn't seem to work for matching the user even though I see the user and group information on the firewall through CLI which looks correct.

L1 Bithead

Is there an error? maybe in agent log file? I finally got mine working with users and groups in my policies.  I haven't tried GlobalProtect yet.

Thanks for the reply. The error I see is that the user didn't match a policy in the portal.


I have two users in the Azure group that is seen on the firewall via CIE. One user synced from on-prem has the email as the UPN and the other user is a guest in Azure and has a UPN. The users have to log in with email address format to Azure via SAML which works for both users. The on-prem user can map to a portal policy, but guest user cannot. The on-prem user appears in the group with email (same as login), but the guest user shows as UPN which isn't the same as the email login format.

Even though the guest user shows as UPN in the group, the email address used for login is an alternative user id and therefore should be able to map the user to the group referenced in the portal policy. I believe that should be the case.

L1 Bithead

Hi All,


I am having an issue whereby we have activated CIE on Panorama however no groups or users are coming through.the command show user cloud-identity-engine client stat" shows 0 for everything. Any ideas? 

I had 0s for everything until I changed Palo Alto Network Services to use the outside interface instead of the management interface.

Have the exact same issue, can't get guest user to select configuration and the user is listed under "Unmapped Groups" when running show user cloud-identity-engine client statistics.


Did you get any further?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!