How can portaes based on group mapping be learned and enforced in Prisma Access?

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information

However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD

How can portaes based on group mapping be learned and enforced in Prisma Access?
A . Configure Prisma Access to learn group mapping via SAML assertion
B . Assign a master device in Panorama through which Prisma Access learns groups
C . Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access
D . Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers

View Answer

Answer: B

Explanation:

Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device. If you don’t configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead.

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access.html