Tutorial: Configure Zscaler ZSCloud for automatic user provisioning
In this tutorial, you'll learn how to configure Azure Active Directory (Azure AD) to automatically provision and deprovision users and/or groups to Zscaler ZSCloud.
This tutorial describes a connector that's built on the Azure AD user provisioning service. For important details on what this service does and how it works, and answers to frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory.
To complete the steps outlined in this tutorial, you need the following:
- An Azure AD tenant.
- A Zscaler ZSCloud tenant.
- A user account in Zscaler ZSCloud with admin permissions.
The Azure AD provisioning integration relies on the Zscaler ZSCloud SCIM API, which is available for Enterprise accounts.
Add Zscaler ZSCloud from the gallery
Before you configure Zscaler ZSCloud for automatic user provisioning with Azure AD, you need to add Zscaler ZSCloud from the Azure AD application gallery to your list of managed SaaS applications.
In the Azure portal, in the left pane, select Azure Active Directory:
Go to Enterprise applications and then select All applications:
To add an application, select New application at the top of the window:
In the search box, enter Zscaler ZSCloud. Select Zscaler ZSCloud in the results and then select Add.
Assign users to Zscaler ZSCloud
Azure AD users need to be assigned access to selected apps before they can use them. In the context of automatic user provisioning, only the users or groups that are assigned to an application in Azure AD are synchronized.
Before you configure and enable automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Zscaler ZSCloud. After you decide that, you can assign these users and groups to Zscaler ZSCloud by following the instructions in Assign a user or group to an enterprise app.
Important tips for assigning users to Zscaler ZSCloud
We recommend that you first assign a single Azure AD user to Zscaler ZSCloud to test the automatic user provisioning configuration. You can assign more users and groups later.
When you assign a user to Zscaler ZSCloud, you need to select any valid application-specific role (if available) in the assignment dialog box. Users with the Default Access role are excluded from provisioning.
Set up automatic user provisioning
This section guides you through the steps for configuring the Azure AD provisioning service to create, update, and disable users and groups in Zscaler ZSCloud based on user and group assignments in Azure AD.
You might also want to enable SAML-based single sign-on for Zscaler ZSCloud. If you do, follow the instructions in the Zscaler ZSCloud single sign-on tutorial. Single sign-on can be configured independently of automatic user provisioning, but the two features complement each other.
When users and groups are provisioned or de-provisioned we recommend to periodically restart provisioning to ensure that group memberships are properly updated. Doing a restart will force our service to re-evaluate all the groups and update the memberships.
Sign in to the Azure portal and select Enterprise applications > All applications > Zscaler ZSCloud:
In the applications list, select Zscaler ZSCloud:
Select the Provisioning tab:
Set the Provisioning Mode to Automatic:
In the Admin Credentials section, enter the Tenant URL and Secret Token of your Zscaler ZSCloud account, as described in the next step.
To get the Tenant URL and Secret Token, go to Administration > Authentication Settings in the Zscaler ZSCloud portal and select SAML under Authentication Type:
Select Configure SAML to open the Configure SAML window:
Select Enable SCIM-Based Provisioning and copy the Base URL and Bearer Token, and then save the settings. In the Azure portal, paste the Base URL into the Tenant URL box and the Bearer Token into the Secret Token box.
After you enter the values in the Tenant URL and Secret Token boxes, select Test Connection to make sure Azure AD can connect to Zscaler ZSCloud. If the connection fails, make sure your Zscaler ZSCloud account has admin permissions and try again.
In the Notification Email box, enter the email address of a person or group that should receive the provisioning error notifications. Select Send an email notification when a failure occurs:
In the Mappings section, select Synchronize Azure Active Directory Users to ZscalerZSCloud:
Review the user attributes that are synchronized from Azure AD to Zscaler ZSCloud in the Attribute Mappings section. The attributes selected as Matching properties are used to match the user accounts in Zscaler ZSCloud for update operations. Select Save to commit any changes.
In the Mappings section, select Synchronize Azure Active Directory Groups to ZscalerZSCloud:
Review the group attributes that are synchronized from Azure AD to Zscaler ZSCloud in the Attribute Mappings section. The attributes selected as Matching properties are used to match the groups in Zscaler ZSCloud for update operations. Select Save to commit any changes.
To configure scoping filters, refer to the instructions in the Scoping filter tutorial.
To enable the Azure AD provisioning service for Zscaler ZSCloud, change the Provisioning Status to On in the Settings section:
Define the users and/or groups that you want to provision to Zscaler ZSCloud by choosing the values you want under Scope in the Settings section:
When you're ready to provision, select Save:
This operation starts the initial synchronization of all users and groups defined under Scope in the Settings section. The initial sync takes longer than subsequent syncs, which occur about every 40 minutes, as long as the Azure AD provisioning service is running. You can monitor progress in the Synchronization Details section. You can also follow links to a provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Zscaler ZSCloud.
For information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.
- Managing user account provisioning for enterprise apps
- What is application access and single sign-on with Azure Active Directory?