Unable to pull Users and Groups from an Endpoint DLP policy from a connected CIE

• With Enterprise DLP or Endpoint DLP with Prisma Access Agent and Cloud Identity Engine (CIE), admins face one or more symptoms similar to the one listed below:
• CIE is connected and has established both Entra ID and SCIM option to pull data from Entra ID.
• While trying to add Policy for “Peripheral Control” or “Data in Motion” types, Users and Groups are not listed in the downward menu. 

• Prisma Access or NGFW
• Enterprise DLP/Endpoint DLP
• Cloud Identity Engine(CIE )

One or more causes may lead to this issue

• The Main Tenant service group (TSG) may not be sharing the CIE with the Sub TSG or the tenant.
• Backend issues.

Depending on the source of the issue:

1. Review HUB > Tenant Management >CIE “Manage Sharing” and check if CIE is shared among sub tenants.
2. If it is not shared, Share the CIE with sub tenant.
3. Ensure users and groups exist in CIE.
4. Backend issues also contribute to the issue. In this case, engage Palo Alto TAC towards resolution.