Incorrect UPN (User Principal Name) fetched in CIE (Cloud Identity Engine) from Azure AD (AAD) even when the UPN on AAD is correct.
5257
Created On 10/17/24 03:48 AM - Last Modified 12/03/24 19:51 PM
Symptom
- Palo Alto Cloud Identity Engine (CIE) is integrated with Azure AD (AAD) for User to group mapping.
- The CIE is synced and shows the expected users and groups.
- Collect user risk information from Azure AD Identity Protection option is enabled for this integration.
- For 1 or more users, the UPN (User Principal Name) attribute is incorrect on CIE while it is configured correctly on the AAD side.
- This causes issues with the security policy match for that specific user.
- For example, The user with Mail user1.lastname@company.com has UPN configured as the same value on the AAD but on CIE, the value is seen as an old value as lastnamemiddlenameuser1@company.com
Environment
- Palo Alto Cloud Identify Engine for User and group mapping. (CIE)
Cause
- This is an issue due to inconsistent response of UPN field from the Azure side.
- When the collect user risk information is checked, CIE queries the Azure AD via 2 different methods and in one of them (for user risk info), the incorrect value for UPN is returned hence CIE shows incorrect value for this attribute.
Resolution
- Validate that the UPN value is correct on the Azure AD side as needed.
- It has been observed that Mail Nick name (which is not expected to impact UPN ideally) also impacts the AAD response and to change the mail nick name to be same as UPN so the AAD might return the correct value.
- If not using Cloud dynamic user groups, Uncheck the Collect user risk information from Azure AD Identity Protection from AAD integration in the CIE followed by full sync in CIE to reflect the correct value.
- If the problem is still not fixed by unchecking the Collect user risk information from Azure AD Identity Protection, Reach out to Palo Alto Support with a screenshot of CIE info and the attribute details configured on the AAD side.