SAML issue with Azure AD and ZPA

when we use SAML attribute “group” from Azure AD to configure a access policy we run into an issue. The policy works only when we use group ID in the policy instead of group name.

Any idea

1 Like

We also Using this feature in our environment but here it is working. Do you have an Hybrid environment with ADFS onPrem or do you using Azure Enterprise Application to provision Users and Groups via SCIM provisioning? How does the SAML Attribute looks like on your site? On our Site the attributes are looking like this ones:

you can see this SAML Attributes via “Administration -> SAML-Attributes”


and the correct one for using groups in Access Policies is:

If you are using SCIM do you have provisioned the group via AzureAD to Zscaler?

One other thing i know if you are using SCIM you have to enable Groups Mappings in the Azure AD Enterprise Application:


And you have to add a new “User Attributes & Claims” object to choose that in the Mappings above: (this is an example for an onPrem Group that is synced via AzureAD Connect Service)

Hi Maximilian,
thanks for your feedback. The schemas looks correct. I add a new one with the role to that and change the policy like this
But it stil works only with the groups ID
I forward your mail to my AD expert and let him check the Azrue AD configuration.

1 Like


if you have a look on the „IDP Configuration“ Click Import for the relevant Domain and login with a user do you see the groupnames in the generated JSON file under one of the claims? If not the SAML claims aren‘t configured correctly.


In my case you can see the ADFS role / OnPrem Group “Alle”

yes, have same setting on Azure AD as you show. But the import doesn’t show the schema “role”

Yes of course this you have to manually add as you can see in the steps before. You have to add your own schema with role as Name in user attributes and claims!

something looks strange. AS you see the schema role is listed but shows now group ID for role

Let ask our AD guys talk to MS support…

Can you send some screenshots from the claim configuration in Azure?

need to ask our AD team for it…

1 Like

Rainer, be default AAD sends group IDs instead of group names. AAD provides 2 options to send group strings instead of IDs- 1) Use AAD connect if AAD is syncing from on premises AD 2) Using Roles for Group Mapping.

Details on both of these options are under Using Roles for Group Mapping -

1 Like

Hi Kunal, hi Maximilian,
thanks for your time to help fixing the issue. Meannwhile MS support come back that our issue “could” related that we using older conenctor version… Connector will upgrade next week. Let you know if this fix our issue…

1 Like

Hi Max,

I’m not AAD expert. How can i create role? What source attribute should i put? I’m not using SCIM or AD Connect.


MS was able to solve the problem. They found that the rules created on our Azure Ad Connect server had a situation where the AccountName attribute was not being created for the group.

To fix this we needed to edit the rule XXXIn from AD - Group Common , and add a transformation

Then SAML attribute “group” in policy shows group name