How to Set up Azure SSO multi-role in Prisma Cloud

How to Set up Azure SSO multi-role in Prisma Cloud

9901
Created On 03/29/22 16:38 PM - Last Modified 10/26/25 22:41 PM


Objective


Configure Azure SSO on Prisma Cloud with Just in Time Provisioning (JIT) with multi-role.

 

Environment


  • Prisma Cloud
  • Microsoft Azure SSO multi-role

Procedure


Prerequisite: 
Add at least 1 user to the SSO bypass list: Settings > Access Control List > SSO > Allow select users to authenticate directly with Prisma Cloud. To prevent tenant lock out. 

Set up Azure for SSO
  1. Go to Enterprise application > Prisma Cloud SSO > SAML-based Sign-on
    1. Click on Add new claims
    2. Select Groups assigned to the application, Click Save
Picture1.jpg

Claim Group has been added
 
Picture2.jpg
  1. Go to Default Directory > All Groups
    1. Assign groups to Prisma Cloud SSO Enterprise Application and add user/s to it
    2. Copy Group Object id so we can create role in Prisma Cloud
Picture4.jpg
Note: Groups assignment are not available for Basic Active Directory plan level. It requires at least "ENTERPRISE MOBILITY + SECURITY E5" or "AZURE AD PREMIUM P2" Plan.

Configure SSO on Prisma Cloud
  1. Create Role using Azure Group Object id Settings > Roles in Prisma Cloud
Picture5-2.jpg
  1. Copy Claim Name from Azure and Paste in Settings > SSO > Just in Time (JIT) Provisioning
Picture3.jpg
  1. Login with SSO and click on Profile bottom. You'll see multiple Roles.
Picture6.jpg

Now you can toggle multiple roles in Prisma Cloud
Picture7.jpg

Additional Information


Set up Azure AD SSO on Prisma Cloud
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NqJCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language