Users having long usernames are not synced with the firewalls

• When using azure directory and syncing users with CIE, the correct policy / group not applied.
• On Checking the firewalls that are synced with CIE the user is seen missing from the group.
• This happens for the usernames which are long in length.
• Userid logs (less mp-log useridd.log) display the errors below.

17:53:15.860 -0400 Warning: pan_user_group_add_one_gmem(pan_user_group.c:2661): user name firstname.lastname_oc.example.com#ext#@example.onmicrosoft.com len 68 exceeds max len 63

• Palo Alto Firewalls
• Prisma Access Firewalls
• Supported PAN-OS
• CIE (Cloud Identity Engine)

• The above happens because the max user length accepted on the PAN OS side is 63 and the usernames exceeds those value are not added.
• In the above example the user firstname.lastname was added as a guest user to the domain "example.onmicrosoft.com" hence Microsoft adds the #EXT# which makes the username larger and greater than 63. 
   

1. Reduce the length of username so that when the #EXT# is added by Microsoft the total characters is less then 63.
2. For details about the #EXT# being added, Refer to "Why #EXT# is seen in the username?