Exam SSE-Engineer topic 1 question 35 discussion

The Cloud Identity Engine’s Attribute Group Mapping capability allows it to retrieve user and group attributes from Microsoft Entra ID and map them for use in Prisma Access security policies. This includes attributes like userPrincipalName, mail, or group membership in formats such as distinguishedName (e.g., CN=Users,CN=Builtin,DC=Example,DC=com). By configuring Attribute Group Mapping, Prisma Access can use these Entra ID attributes to identify users and groups as the source in security policy rules, enabling policy enforcement based on user identity rather than IP addresses. This is achieved by associating the Cloud Identity Engine with Prisma Access, configuring the primary username attribute (e.g., userPrincipalName for Entra ID), and ensuring that group names are populated in security policy rule drop-downs for selection.

Correct is D. https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/manage-the-cloud-identity-engine/create-a-cloud-dynamic-user-group

I would say A, but not sure: https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-access/configure-azure-ad-user-group-mapping-in-prisma-access