On Cloud Identity Engine the Group CN (common name) is learnt from the "Mail Nick Name" from Azure AD
3969
Created On 12/15/22 01:43 AM - Last Modified 03/22/24 01:08 AM
Symptom
- For a user group that is synced from on-prem AD (Active Directory) to Azure AD, it sometimes doesn't have the attribute CN (CommonName) on Azure AD.
- In this case, CIE will use the "MailNickName" as the CN for this group.
- If the group's "MailNickName" is different to its CN, customer's configuration with the group CN will not take effect, as the group CN doesn't exist on CIE.
- A group on on-prem AD has cn=users_support and "MailNickName" as support_users.
- On Azure AD, the same group somehow doesn't have CN, but has "MailNickName" as support_users
- The group on CIE will have cn=support_users and sAMAccountName=users_support
- Therefore, if the customer has cn=users_support in Prisma Access Panorama, this group will not be found on CIE.
Environment
- CIE (Cloud Identity Engine)
- Prisma Access
- Azure Active Directory (AD)
Cause
CIE will use the "MailNickName" as the CN for this group, if the group doesn't have CN attribute on Azure AD.
Resolution
Check and fix the following
- The group has correct common name (CN) on CIE.
- The group has correct CN on Azure AD
- If the group doesn't have CN on Azure AD, the group's MailNickName is the same to CN.