Apply policies based on AD users, groups, or OU

Apply policies based on AD users, groups, or OU

To apply inline policies based on security needs and various constraints such as AD/user groups/Organizational unit, Source of traffic/Trusted or untrusted, networks/Forward or reverse proxy, Application instance, Constraint profile or augmenting authentication (Multifactor authentication),  follow the steps as shown below:

  1. Navigate to Policies > Real time Protection > New Policy > Cloud App access.
  2. Under ‘Source’ section, select Users/User groups or Organizational Unit. Options selected here will apply in the policy being created. You can add up to 1,024 unique user groups or organizational units. Keep in mind that Real-time Protection and SSL decryption policies share this limit.


    The ability to add up to 4,096 unique user groups or organizational units is a GA-controlled feature. Contact your Sales Representative or Support to enable this feature.

  3. Under ‘Source’ section, select ‘ADD CRITERIA’ drop down option.
  4. Select the ‘Access method’ option and select the required source of traffic and proxy type (forward, reverse).
  5. For trusted or untrusted networks, select ‘Source IP’ and provide the details.
  6. To apply policies based on application  instance, navigate to ‘Destination’ section of the policy creation template, and select the ‘App Instance’ option.
  7. Selection of a cloud app or an app instance activates the ‘Activities and Constraints’ section where activities that have to act as constraints can be placed in the policy.
  8. To include multi factor authentication in policies, ensure that Multifactor authentication is enabled for the tenant.
  9. Under the Profiles & Action section in the policy creation template, select the Action = Multifactor authentication. This will help to provide layered security for higher risk activity.

To learn more: Real-time Protection Policies

Share this Doc

Apply policies based on AD users, groups, or OU

Or copy link

In this topic ...