Skip to main content

Illumio Security Policy Guide 25.4

  • Illumio Security Policy Guide 25.4
  • Adaptive User Segmentation

Adaptive User Segmentation

Illumio's Adaptive User Segmentation (AUS) allows you to leverage user groups from two different Microsoft directory applications to manage network traffic across your organization:

  • Microsoft Active Directory

  • Microsoft Entra ID (formerly Azure Active Directory)

Support for these directory applications allows you to include user groups in the PCE that map directly to Active Directory or Entra ID Groups. You can then create rules using these groups to control outbound access on specific workloads, such as a VDI desktop, based on the user's group membership logged in to that workload.

For example, you may want to restrict access to the ERP application to only employees in the Sales user group and not to users in the HR department. You may also wish to allow HR users to access only HR applications, but not all internal resources.

If you have a Windows workload that controls access to other resources in your network, such as a VDI desktop with the VEN installed, you can add the VDI desktop workload and Active Directory or Entra ID User Groups to the rule. Writing this type of rule allows user access only to the resources explicitly allowed by the rules.

Configure a Microsoft directory application for use with Illumio AUS

Configure one of the following directory applications.

Microsoft Entra ID

Note

Feature Enablement: Using Microsoft Entra ID with Illumio AUS requires enablement by Illumio. For assistance, contact your Illumio Account team.

To use Microsoft Entra ID User Groups in Illumio policy, configure the Entra ID Enterprise Application as described in Configure Microsoft Entra ID (Azure AD) for use with Illumio AUS. Once configured and provisioned, Entra ID periodically pushes group and user information to the PCE automatically. The information eventually appears in Policy Objects > User Groups. This automated operation differs from the manual steps required for integrating AUS with Microsoft Active Directory.

Microsoft Active Directory

To use Microsoft Active Directory User Groups in Illumio policy, perform the procedures provided in Configure Microsoft Active Directory for use with Illumio AUS.