Bypassing MFA for Azure AD SSO

Hello!

I’ve setup Zscaler completely following every guide known to man. It works. No problems. Users can log in successfully and use it and keep it on. Our test group has been using it for about a month and a half now successfully. It’s all set up.

For our mass deployment, I want to remotely install it and have SSO not trigger a Microsoft MFA text. I’d like to skip MFA when someone signs in via the ZScaler Client Connector. This way I can deploy it and no one’s work will be interrupted. I’ve not found a lick of information on ZScaler’s documentation or the Windows ZScaler Documentation. There has to be a way, I doubt everyone who uses Client Connector doesn’t use MFA.

Please help, I’m losing my mind.

Hi @BigSaveDave.

This will depend in the capability if the IDP you are using. Assuming you are using Azure AD, Conditional Access and InTune, you should be able to package up the app, and configure Azure to not require MFA when people are connecting from the Zscaler service.

MS renames and moves things around in their UI a lot, so painting doc on this when one is not MS can sometimes be a challenge.

This demo may help (though it’s focussed on the outcome, not the config) → Z App deployment with Microsoft Intune

And this writeup from @NathC may help too → [Guide] Deploy Zscaler Client Connector with Intune (Windows & macOS)

Cheers,
Scott-

To add to Scott’s reply. We have successfully deployed ZCC silently to our users via Intune, GPO, as well as locally for some users.

Our devices are either Azure AD joined or Hybrid AD joined so they have a Primary Refresh Token. No users needed to reauthenticate.

The only thing I’d be mindful of is when ZCC starts up, it causes a brief disconnection which will disrupt Teams meetings and other LOB apps that require a constant connection.

Add Zscaler IP are under known list on Azure access control policy, If your IDP traffic also going via Zscaler. MFA will not prompted for known IPs.

Look for SIPA (Source IP anchoring ) option and forward only MS Login URLs to ZPA app connector which can deploy behind your corporate or in Azure itself.