How to renew the application key for the Directory Service in SaaS Security
6960
Created On 03/27/23 23:43 PM - Last Modified 07/11/25 20:13 PM
Objective
This document provides guidance and documentation reference to renew the Directory Service key in SaaS Security
Environment
SaaS Security API
Procedure
In order to connect your enterprise directory service to SaaS Security API you need to configure an application registration on Azure AD. This process is described at Begin Using Azure Active Directory Groups.
SaaS Security API will use the Application ID and the Application Key to connect to the Azure AD and retrieve the information about users and groups.
The Application Key can be configured to expire in 1 year, 2 years or never, hence, unless you choose to never expire, you will need to renew the key on Azure at some point in time.
Once you renew the Application Key on Azure side, you need to update the Application Key in SaaS Security API:
1. Go to Settings tab
2. Directory Services
3. Click the Actions button
4. Select **Re-authenticate**
5. Verify the Application ID
6. Update the Application Key with the newly created in Azure the this Application ID
By default, SaaS Security API will refresh the Directory Service connection every 24h to retrieve any changes to user group membership, however, to ensure the application key renewal takes effect immediately, repeat steps 1 to 4 selecting the **Refresh** option in this step.
This process is described at Manage Your Directory Service on SaaS Security API. In this document there are 2 more optional steps: Rescan a Managed Cloud App and Re-authenticate to a Cloud App.
The renewal of the Directory Services Application Key shouldn't impact the Cloud Apps, however, you should monitor the behavior after the key renewal is completed, verifying that asset details for previously registered assets are still visible and new assets are being registered.
In case you detect that you can't retrieve details about previous registered assets, then you might need to perform a Rescan a Managed Cloud App.
If new assets are not being registered, then you might need to Reauthenticate to a Cloud App.
Additional Information
References:
- https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-api/get-started-with-saas-security-api/connect-directory-services/begin-selective-scanning-using-azure-active-directory-groups#idb2c26840-589e-4841-b90f-6f170c056b3f
- https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-api/get-started-with-saas-security-api/connect-directory-services/manage-your-directory-service
- https://docs.paloaltonetworks.com/content/techdocs/en_US/saas-security/saas-security-admin/saas-security-api/secure-cloud-apps/rescan-a-managed-cloud-app.html#id17BMA0Q0GJQ
- https://docs.paloaltonetworks.com/content/techdocs/en_US/saas-security/saas-security-admin/saas-security-api/secure-cloud-apps/reauthenticate-to-a-cloud-app.html#id7d515bb0-18c0-4e39-9aa5-56d9c256dbc5