AD group reflection in Zscaler admin portal

Hello Techies, Could someone tell me how long it takes AD group to reflect in admin portal(User managemnet/groups section; NOT in Zscaler client connector portal to import in app profiles).

Hello Shreya,

provisioning interval is by default configured to a fixed value of every 40 minutes for Azure AD Enterpsie Apps. So thats also the time-frame in which all changes should be reflected in Adminportal (asuming you are using SAML IDP and sync is working correctly).

BR
Manuel

2 Likes

Hi Shreya,

It depends on how you’re synchronising. If you’re doing SCIM, then it’s 40 minutes from AzureAD, more frequently from OKTA, and configurable from (say) Ping. If you’re doing LDAP, then the synchronisation is every 24 hours.
However - if you’re doing SAML Autoprovisioning, then each time a user authenticates their group attributes are updated. This also pushes to mobile admin at the same time.

Mark

2 Likes

Hello Mark
Thanks for the details.
Till now,AD group has not been reflected,its been more than 12 hrs. We use SAML as an authentication. Do you mean I need to logout user from ZCC and re-login so that he can be re-authenticated and groups will be reflected?

If you’re using SAML autoprovisioning for Zscaler to consume the users groups, then this only happens during authentication.
Logging out of ZCC and re-login would update the groups - but obviously this isn’t ideal. SCIM can update the groups “out of band”, but isn’t available on all SAML IDPs.
What you can do is perform an IDP Initiated SSO - so the user browses to the SAML IDP and performs the authentication round in their webbrowser - this then updates the group membership. You would need to make some changes on the IDP to support this.
This video Zscaler Internet Access - IDP Initiated SSO - YouTube walks though how to configure ADFS for IDP Initiated SSO, and how to link users in their block page to update groups. You could also trigger the link when the user accessed their homepage.

2 Likes

thanks again…I tried via IDP (ADFS link), bt its giving some typical error to contact admin.Qill chwck with AD team!