cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Automated user provisioning for Zscaler now in public preview
By
Alex Simons (AZURE)
Published Mar 05 2019 09:00 AM 16K Views
Alex Simons (AZURE)
Microsoft
‎Mar 05 2019 09:00 AM

Automated user provisioning for Zscaler now in public preview

‎Mar 05 2019 09:00 AM

Howdy folks,

 

With RSA happening this week and security top of mind, I’m excited to announce the public preview of automated user provisioning for Zscaler. This expansion of our partnership with Zscaler enables automated, policy-based provisioning and deprovisioning of user accounts for Zscaler’s single sign-on (SSO) apps across all production clouds.

 

With both Zscaler and Azure Active Directory (Azure AD) supporting the System for Cross-domain Identity Management (SCIM) 2.0 standard protocol, our joint customers can now use the Azure AD provisioning service to automate the lifecycle of user and group accounts for Zscaler. IT teams can use this SCIM integration to perform a user database sync with the Zscaler security cloud.

 

Zscaler customers can benefit by:

 

  • Eliminating manual processes: No more manual and error prone processes to create, update, or disable employee user accounts to Zscaler applications when they join, move within, or leave the company.
  • Increasing timely access: Reduce the time that your employees can get access to Zscaler applications when they join your company.
  • Increased security: Automatically disable user accounts to Zscaler applications in a timely fashion when employees leave the organization.

 

With the Azure AD automatic provisioning service, you can quickly deploy Zscaler applications throughout your organization and increase adoption while keeping your corporate assets safe. In addition, with always up-to-date user data, you can quickly adapt policy controls in response to changes in user security posture.

 

How to set up provisioning for your Zscaler application

If your Zscaler application is already integrated with Azure AD SSO, search for the application in Azure Active Directory > Enterprise Apps > All applications.

 

If you’re adding the application for the first time, select New applications and search for your desired Zscaler application:

 

Zscaler1.png

 

Once you’ve added your Zscaler application, you can configure the app for provisioning:

 

ZscalerProvisioning.png

 

After you configure and test your Zscaler application for provisioning, you can create attribute mappings between Azure AD and the Zscaler application. You’ll be able to view and edit what user attributes flow between Azure AD and the Zscaler application, as well as when user accounts are provisioned or updated.

 

ZscalerMapping.png

 

To learn more about setting up your Zscaler application with the Azure AD automatic provisioning service, review our documentation and visit the Zscaler product page for more details. Let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.


Best regards,

Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division

5 Comments
pepperonicowboy
Copper Contributor
‎Apr 25 2019 11:56 AM
‎Apr 25 2019 11:56 AM

Does this mean that P1 is no longer required to utilize SCIM and directory sync functionality? Since it's now a gallery app. 

0 Likes
Like
Raj909
Copper Contributor
‎Aug 20 2019 10:59 AM
‎Aug 20 2019 10:59 AM
We have created a new enterprise application for ZscalerTwo cloud, SSO is working using SCIM-Based Provisioning. However, we cannot get the Mappings to work to synchronize specific AD user groups and security groups by using scoping filters. We prefer to sync all users and groups instead of only assigned users and groups. AD groups are already displayed within Azure AD, just not within the Zscaler application. Not sure if attribute mappings need to be created as something simple as "name" attribute is not available. Please advise how best to get this working. Thanks
0 Likes
Like
Jeevan Desarda
Microsoft
‎Aug 21 2019 03:19 PM
‎Aug 21 2019 03:19 PM

If I am understanding this correctly, you would like to scope the provisioning to specific set of users and/or groups in the organization. The best way in this case to do this is setting the scope in the drop down to "All Users and Groups".

clipboard_image_0.png

Then use the Mapping section (Users and groups are separate here) to further scope down the source objects based on the conditions you need. Here the condition can be a name or department and you can use the correct operator to match the value.

This is all explained in this document https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provision...

In addition to this please read the Zscaler specific User Provisioning tutorial here https://docs.microsoft.com/azure/active-directory/saas-apps/zscaler-two-provisioning-tutorial

0 Likes
Like
Raj909
Copper Contributor
‎Aug 22 2019 12:14 PM
‎Aug 22 2019 12:14 PM
Hi Jeevan, your understanding is correct. We have set the scope to "sync all users and groups" and currently all users and groups within the organization are being synchronized. I have gone through the Zscaler specific tutorial and the scoping filters document already but challenged with certain attributes not available. ie: name Ideally, we would like to synchronize Domain Users for the user mapping and several Security Group wildcards for the group mapping. Looking to see how we can achieve this.
0 Likes
Like
Jeevan Desarda
Microsoft
‎Sep 03 2019 01:18 PM
‎Sep 03 2019 01:18 PM

Thanks for letting us know about the missing attributes not available for mapping. I will pass this feedback to our Product Group.

0 Likes
Like
Version history
Last update:
‎Jul 24 2020 01:43 AM
Updated by: